Skillv1.0.1

ClawScan security

sales-report-parser · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 12, 2026, 5:41 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements are consistent with its stated purpose (OCR → LLM JSON parsing → Excel); no hidden endpoints or unexplained credentials were found, but the tool will upload image/text data to the MiniMax API so you should only send non-sensitive reports and run it in an isolated environment if needed.
Guidance: This skill appears to do what it says: run cnocr OCR locally then send OCR text and/or base64-encoded images to the MiniMax API to obtain structured JSON, and convert that JSON to Excel. Before installing/running: 1) Understand that image contents and extracted text will be transmitted to the MiniMax endpoint — do not upload sensitive or confidential reports unless you trust the service and its data-handling. 2) Run pip install -r requirements.txt in an isolated virtual environment to avoid dependency conflicts. 3) The script expects you to pass an API key on the command line; avoid putting keys in version-controlled files or shared shells. 4) Review minimax_langchain.py if you want to confirm logging/telemetry behavior; the hardcoded API_KEY is just a placeholder and not an active backdoor. If you need offline processing or stricter data controls, do not use the remote API steps and instead rely solely on local OCR output.

Review Dimensions

Purpose & Capability: okName/description (sales OCR → MiniMax JSON → Excel) match the included scripts. Required functionality (OCR via cnocr, LLM calls to MiniMax, JSON→Excel) is implemented and nothing in the code asks for unrelated capabilities or credentials.
Instruction Scope: noteSKILL.md instructs installing requirements and running the provided scripts; the runtime steps align with the code. Important note: images are base64-embedded and sent to the MiniMax API via the ChatOpenAI wrapper — both OCR text and image content will be transmitted to the remote service. The documentation does not prominently warn about uploading image contents to a third party.
Install Mechanism: okThere is no built-in install spec in the registry; SKILL.md recommends pip install -r requirements.txt. The requirements list standard packages (cnocr, langchain-openai, pandas, pillow, etc.). No arbitrary downloads from personal servers or URL shorteners are present in the code.
Credentials: noteThe tool does not require hidden environment variables; API keys are supplied as CLI arguments (api_key). There is a hardcoded placeholder API_KEY = "自己的apk" in minimax_langchain.py (harmless placeholder). The only sensitive secret you must provide is the MiniMax API key — which is proportional to the stated purpose — but you should be aware that providing that key gives the script the ability to send your data to the remote API.
Persistence & Privilege: okSkill is not always-enabled, does not request system-wide config paths, and does not modify other skills or system settings. It has no persistence privileges beyond running the scripts and writing output files (JSON/Excel) in the working directory.