Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Document Processing
v1.0.0支持PDF、Word、Excel、PPT格式转换、内容提取及批量处理,自动同步飞书云文档和推送处理结果。
⭐ 0· 109·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md claims automatic Feishu sync and an OCR API key in configuration, but the Python implementation contains no network calls, does not read environment variables or config for Feishu/remote OCR, and the sync_to_feishu method is a stub. Also SKILL.md lists OCR and conversion dependencies but does not mention the external tesseract binary that pytesseract requires. These inconsistencies mean required credentials/configs in docs are not aligned with the actual code.
Instruction Scope
The instructions and examples operate on user-supplied file paths and a temp_dir; they do not instruct the agent to read unrelated system files or credentials. However, SKILL.md promotes saving results to Feishu and using an ocr_api_key, which the runtime instructions do not show how to use — giving the agent open discretion about syncing/uploading would be problematic if implemented later.
Install Mechanism
There is no install specification (instruction-only plus a single Python module). Nothing will be automatically downloaded or executed by an installer. Dependencies are Python packages listed in SKILL.md; installing them is standard but the skill does not provide an automated install script.
Credentials
The SKILL.md suggests configuration values like ocr_api_key, feishu doc_folder_token, and bitable_app_token but the code does not accept or read these credentials. Conversely, the code requires a Tesseract binary (pytesseract) which SKILL.md doesn't declare as an external requirement. Asking for cloud credentials in docs without using them is disproportionate and risks encouraging users to provide secrets unnecessarily.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It writes to a local temp_dir under its own control, which is normal for a document-processing utility.
What to consider before installing
This package appears to be a local document-processing utility but its documentation promises Feishu sync and cloud OCR keys that are not implemented in the code. Before installing or providing any secrets: (1) Do not paste Feishu tokens or OCR API keys into configuration or environment variables for this skill until you verify the code actually uses them. (2) If you need cloud sync, request or wait for a version where sync_to_feishu is implemented and network endpoints are explicit. (3) Note that pytesseract requires a system Tesseract binary — install and test that separately. (4) Run the module in a sandbox with non-sensitive documents to confirm behavior and watch for unexpected network activity. (5) Prefer a version with explicit network calls (requests or httpx) and documented endpoints before providing production credentials. Additional information that would raise confidence: a completed implementation of Feishu integration showing exact endpoints and auth flows, or updated SKILL.md that drops the cloud/credential requirements if they aren't needed.Like a lobster shell, security has layers — review code before you run it.
latestvk97201vrdgmh2f4qj5bxvw59zs83nsg4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.