Back to skill
Skillv1.0.26
ClawScan security
WiseDiag MedOCR · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 31, 2026, 7:28 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and runtime instructions match its stated purpose (upload a single PDF/image to WiseDiag for OCR and save Markdown locally); no unexpected credentials, endpoints, or install sources are present, though the registry metadata omits the required API key declaration.
- Guidance
- This skill appears to do what it says: it uploads one file to WiseDiag's cloud OCR API and saves the returned Markdown locally. Before installing or using it, consider: 1) Do NOT upload sensitive documents — the SKILL.md explicitly warns against IDs, financial, medical, biometric, credentials, or minor data. 2) The script requires WISEDIAG_API_KEY; the package metadata omitted this, so be sure to set the environment variable rather than assume none are needed. 3) The script calls https://openapi.wisediag.com; verify that domain and WiseDiag's privacy/data-retention policy meet your requirements. 4) If you must process sensitive files, use an offline OCR alternative. 5) As a best practice, set the API key in a secure location (avoid committing it to dotfiles or repos). Finally, if you want extra assurance, review network traffic or run the script in an isolated environment (VM/container) while testing with non-sensitive files.
Review Dimensions
- Purpose & Capability
- noteThe skill name/description (WiseDiag OCR to Markdown) aligns with its behavior: the script uploads a single PDF/image to WiseDiag's OCR endpoint, receives a JSON result, and writes Markdown to ~/.openclaw/workspace/WiseOCR. Note: the top-level registry metadata in the package summary listed no required env vars, but the SKILL.md and the script both require WISEDIAG_API_KEY — this metadata omission is an inconsistency to be aware of.
- Instruction Scope
- okSKILL.md instructs the user to set WISEDIAG_API_KEY and run the provided Python script. The script only reads the input file, optionally inspects PDF page count, uploads the file to https://openapi.wisediag.com/v1/ocr/pdf, and saves returned markdown locally. It does not access other system files, other credentials, or unusual endpoints. The privacy warning in SKILL.md accurately reflects the upload behavior.
- Install Mechanism
- okThere is no custom install step; the project includes a requirements.txt (requests, pypdf) and recommends pip install -r requirements.txt. No remote arbitrary installers, URL downloads, or packaged binaries are present. The code file is plain Python and straightforward to inspect.
- Credentials
- noteThe only runtime secret required is WISEDIAG_API_KEY, which is reasonable and proportional for a cloud OCR service. However, the registry-level 'Requirements' field (provided earlier in the package metadata) did not list this env var while SKILL.md and the script both require it — this mismatch could confuse users or automated tooling.
- Persistence & Privilege
- okThe skill runs on demand (always:false) and is user-invocable. It writes output only to a subdirectory under the user's home (~/.openclaw/workspace/WiseOCR). It does not modify other skills, system-wide settings, or request permanent elevated privileges.