by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's code largely matches a PDF→structured-data extractor, but it silently references an external vendor (yk-global.com) for API/key verification and reads an undeclared OPENAI_API_KEY environment variable — behavior that isn't documented in the SKILL.md and could leak keys/usage data.
评估建议
This package mostly does what its name says (PDF→JSON/Excel via local extraction + AI calls), but there are two notable surprises you should investigate before installing or using with real data:
- The code/readme reference a third-party endpoint (yk-global.com) used to 'verify API keys' or tiers. Find the full verify_api_key implementation (file was truncated here) and inspect exactly what data is sent. If it sends your API key or extracts metadata, that could expose your credentials or usage ...详细分析 ▾
⚠ 用途与能力
Name/description and the Python modules (PDF extraction, OCR, AI-driven field extraction, Excel/JSON output) are consistent. However, the README and a truncated function docstring indicate an additional step: verifying API keys with https://api.yk-global.com (a third-party domain). That verification/telemetry step is not mentioned in SKILL.md or the registry metadata and is not necessary to perform local PDF extraction, so it is disproportionate to the stated purpose.
⚠ 指令范围
SKILL.md shows the agent will call local scripts and asks users to supply an API key for AI extraction. But the runtime code also has a verify_api_key helper (docstring: "Verify API key via yk-global.com") which suggests the skill may make network calls to a vendor for license/tier checks. The SKILL.md claims the skill 'does not store keys', but it does not disclose any vendor verification or what is sent during verification — a gap between instructions and actual behavior.
✓ 安装机制
There is no install spec that downloads arbitrary archives; the package is pure Python code requiring common libraries (PyMuPDF, pdfplumber, pytesseract, openpyxl, requests). No unusual installers, URLs, or extract steps are present in the manifest.
⚠ 凭证需求
The skill's metadata declares no required env vars, but field_extractor.py will read OPENAI_API_KEY from the environment if an api_key parameter is not passed. Additionally, README and code refer to a yk-global.com verification endpoint — implying the API key (or at least parts of it) may be sent to a third party for tier verification. Requesting or using an API key for model calls is reasonable, but transmitting it to an unrelated vendor is not documented and is disproportionate to the stated extraction function.
✓ 持久化与权限
The skill does not request always:true or any elevated persistent privileges. It does not appear to modify other skills or global agent settings from the provided files. Autonomous invocation is allowed (default) but not itself a new risk here.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.12026/4/21
Initial release of pdf-field-extractor-pro: - AI-powered extraction of key fields from PDF documents into Excel or JSON. - Supports various document types including invoices, contracts, receipts, bank statements, business licenses, IDs, shipping documents, and generic PDFs. - Automatic document type recognition and field extraction workflow. - Handles both text-based and scanned PDFs with integrated OCR. - Enables batch processing and customizable output formats. - Flexible pricing tiers with configurable quotas and features.
● Pending
安装命令
点击复制官方npx clawhub@latest install pdf-field-extractor-pro
镜像加速npx clawhub@latest install pdf-field-extractor-pro --registry https://cn.longxiaskill.com