Mistral OCR
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: mistral-ocr Version: 1.0.4 The skill transparently uploads user-provided files to Mistral's cloud servers for OCR processing, as explicitly stated in the 'Privacy Warning' sections of both SKILL.md and README.md. The `scripts/mistral_ocr.py` code uses the official `mistralai` client library to perform this action, retrieving the `MISTRAL_API_KEY` from environment variables. There is no evidence of unauthorized data exfiltration, malicious execution, persistence mechanisms, prompt injection attempts against the agent, or obfuscation. All actions align with the skill's stated purpose and are clearly disclosed to the user.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Any document processed with the skill is shared with Mistral’s cloud service, which may be inappropriate for confidential or regulated files.
The selected input file is read locally and uploaded to Mistral’s API for OCR. This is core to the skill and disclosed, but it means document contents leave the local environment.
uploaded_file = client.files.upload(... "content": input_path.read_bytes(), ... purpose="ocr")
Use this only for files you are comfortable sending to Mistral, review Mistral’s privacy policy, and use an offline OCR tool for sensitive documents.
If the API key is exposed, someone else may be able to use the user’s Mistral account or incur usage under it.
The skill requires a Mistral API key and suggests optionally storing it persistently in a shell profile. This is expected for the Mistral API, but users should treat the key as an account credential.
export MISTRAL_API_KEY=your_api_key_here ... echo 'export MISTRAL_API_KEY=your_api_key_here' >> ~/.zshrc
Store the API key carefully, prefer a secret manager or temporary environment variable on shared systems, and rotate the key if it may have been exposed.
A future dependency version could behave differently from the version the author tested.
The Python dependency is open-ended rather than pinned to an exact version, so future installs may pull newer package behavior. This is purpose-aligned for a Mistral wrapper but less reproducible.
mistralai>=0.0.9
Review or pin the dependency version before installing in sensitive environments.