ebook-to-md

ReviewAudited by ClawScan on May 1, 2026.

Overview

The skill appears purpose-aligned for OCR-to-Markdown conversion, but users should notice that documents/images are sent to Baidu OCR and that Baidu credentials plus manual dependencies are needed.

Install this if you are comfortable sending selected files to Baidu OCR and using Baidu API credentials. Verify Calibre and Python dependencies from trusted sources, use scoped/rotatable Baidu keys, and choose output paths carefully.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI07: Insecure Inter-Agent Communication

What this means

Private PDFs, images, EPUBs, or MOBIs you convert may be uploaded to Baidu OCR for processing.

Why it was flagged

The converter base64-encodes the supplied document and posts it to Baidu's OCR/parser endpoint, which is expected for OCR but means document contents leave the local machine.

Skill content

data = {"file_data": file_data, "file_name": file_name}
    resp = requests.post(PADDLE_VL_SUBMIT_URL, params=params, headers=headers, data=data)

Recommendation

Use this only for documents you are allowed to send to Baidu OCR, and avoid highly confidential files unless that data flow is acceptable.

Low

#ASI03: Identity and Privilege Abuse

What this means

Your Baidu OCR API credentials are used by the skill to call Baidu services.

Why it was flagged

The skill uses Baidu API key and secret values to obtain an access token. This is purpose-aligned for Baidu OCR, but it is still credential handling.

Skill content

params = {"grant_type": "client_credentials", "client_id": api_key, "client_secret": secret_key}
        resp = requests.post(url, params=params)

Recommendation

Provide only the intended Baidu OCR keys, prefer scoped/rotatable credentials, and rotate them if exposed.

Low

#ASI05: Unexpected Code Execution

What this means

If you convert MOBI or EPUB files, a local Calibre command will process the file on your machine.

Why it was flagged

For MOBI/EPUB conversion the skill invokes Calibre's ebook-convert binary. This local command execution is documented and central to the ebook conversion feature.

Skill content

result = subprocess.run(
            ["ebook-convert", str(path), tmp_pdf],
            capture_output=True,
            text=True,
            timeout=300,
        )

Recommendation

Install Calibre from a trusted source and only convert files you trust or are comfortable parsing with local conversion tools.

Info

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

You may need to manually install dependencies and trust a package without a linked homepage/source repository.

Why it was flagged

The package provenance and installation metadata are sparse, while the skill relies on manual dependencies and credentials documented in SKILL.md. This is not suspicious by itself, but users should verify setup sources.

Skill content

Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.

Recommendation

Review the included code, install requests/Calibre from trusted package sources, and prefer registry metadata that declares required binaries and environment variables.