Image Ocr
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: siliconflow-image-ocr Version: 1.0.1 The skill provides legitimate OCR functionality using the SiliconFlow API. The script `scripts/paddleocr_vl.py` implements standard multi-modal request logic, handling local file reading and remote URL processing without any signs of obfuscation, data exfiltration, or unauthorized execution. Credential handling for the API key follows the documented OpenClaw patterns (environment variables or local secret files), and the network communication is restricted to the official SiliconFlow endpoint.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an untrusted or mistaken base URL is used, the API key and OCR request could be sent to the wrong server.
The helper normally targets SiliconFlow, but it allows the API endpoint to be overridden while still sending the bearer token to that endpoint.
ap.add_argument("--base-url", default="https://api.siliconflow.cn/v1") ... url = args.base_url.rstrip("/") + "/chat/completions" ... "Authorization": f"Bearer {key}"Use the default SiliconFlow endpoint unless you intentionally trust a proxy or alternate endpoint, and do not let untrusted text decide the base URL.
Installing and using the skill gives it access to the configured SiliconFlow account for OCR calls.
The skill uses a SiliconFlow API key from the environment or a local secrets file to authenticate requests.
key = os.getenv("SILICONFLOW_API_KEY", "").strip() ... key_file = os.path.expanduser("~/.openclaw/secrets/siliconflow_api_key") ... "Authorization": f"Bearer {key}"Store the API key securely, use a least-privileged key if available, and revoke or rotate it if you no longer use the skill.
Screenshots, receipts, forms, or other selected images may leave the local device and be processed by the external OCR provider.
When a local image path is provided, the script encodes the image and sends it in the API request to the configured OCR provider.
content.append({"type": "image_url", "image_url": {"url": to_data_uri(args.image_path)}}) ... with urllib.request.urlopen(req, timeout=90) as resp:Only submit images you are comfortable sending to SiliconFlow or a trusted configured endpoint, especially if they contain IDs, financial data, or private documents.