WiseOCR
PassAudited by ClawScan on May 1, 2026.
Overview
WiseOCR is a coherent cloud OCR skill that discloses its main privacy tradeoff: selected documents are uploaded to WiseDiag for processing.
Install only if you are comfortable sending chosen files to WiseDiag's cloud OCR service. Avoid sensitive documents, protect the WISEDIAG_API_KEY, consider pinning dependencies for reproducible installs, and treat generated Markdown as untrusted extracted document text.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The contents of the file you choose to OCR are transmitted to WiseDiag's servers for processing.
The selected PDF/image is uploaded to an external WiseDiag API for OCR. This matches the stated cloud-OCR purpose and is disclosed, but document contents cross a data boundary.
DEFAULT_SERVICE_URL = "https://openapi.wisediag.com" ... requests.post(endpoint, files=multipart, params=params, headers=headers, timeout=REQUEST_TIMEOUT)
Use this only for documents you are comfortable sending to WiseDiag; use local/offline OCR for confidential, regulated, or highly personal documents.
The API key may remain on the machine and could be exposed through shell profile backups, sharing, or local account access.
The README suggests a user-directed way to persist the WiseDiag API key in a shell profile. This is purpose-aligned, but it stores a credential in plaintext local configuration.
echo 'export WISEDIAG_API_KEY=your_api_key_here' >> ~/.zshrc
Prefer a temporary environment variable or secret manager when possible, and use a scoped/revocable WiseDiag key.
Installing later could pull different dependency versions than the author tested.
The Python dependencies are specified as version ranges rather than exact pins. This is common for simple Python tools, but future installs may resolve to newer package versions.
requests>=2.28.0 pypdf>=3.0.0
If supply-chain reproducibility matters, install in a virtual environment and pin or review dependency versions before use.
If a future agent reads the generated Markdown, any instructions embedded in the original document could be mistaken for directions.
OCR text returned from the document is persisted as Markdown in the OpenClaw workspace. This is expected for OCR output, but the text may contain untrusted document content.
markdown = data.get("markdown", "") ... out_path.write_text(markdown, encoding="utf-8")Treat generated OCR Markdown as untrusted document data, not as instructions for the agent.