by 安全扫描
OpenClaw
安全
medium confidenceThe skill is internally consistent: it declares and uses a single CLI (mineru-open-api) to upload and convert documents, and its install and runtime instructions match its stated purpose—however, it uploads files to a third‑party cloud service (no credentials), so verify privacy before sending sensitive documents.
评估建议
This skill appears to do what it says, but it uploads documents to MinerU's cloud without requiring an API key. Before installing or using it: (1) Do not upload sensitive or confidential documents unless you trust mineru.net and have read their privacy policy; (2) Verify the mineru-open-api package source (npm page, GitHub repo) and install from a trusted package manager; (3) If possible, inspect the package code or checksums before running it; (4) Test with non-sensitive sample files first; (5)...详细分析 ▾
✓ 用途与能力
Name/description, required binary (mineru-open-api), and the install specs (npm/uv/go) all align with a CLI-based document-to-Markdown converter. There are no unrelated binaries or unexpected credential requests.
ℹ 指令范围
SKILL.md instructs the agent to run mineru-open-api flash-extract on local files or URLs and explicitly states the CLI uploads documents to MinerU's cloud for processing. The instructions do not ask the agent to read unrelated files or environment variables, but they do cause user documents to be transmitted externally; the SKILL.md claims 'not stored' which cannot be verified from the instructions alone.
ℹ 安装机制
Install methods (npm, uv, go install from a GitHub path) are standard for a CLI. There is some risk inherent in installing third-party packages: the publisher is not a broadly-known vendor here and SKILL.md also offers a direct download link on mineru.net. Verify package source and integrity before installing.
✓ 凭证需求
The skill declares no required environment variables or credentials, which is proportionate for a simple CLI wrapper. Note: absence of credentials means files are processed by a public/unauthenticated endpoint — a privacy (not a coherence) concern.
✓ 持久化与权限
The skill is not marked always:true and does not request elevated agent persistence or modify other skills. Autonomous invocation is allowed (default) but is not combined with other red flags.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/25
Initial release of word-to-markdown. - Convert Word, PowerPoint, and Excel files (DOCX, PPTX, XLS, XLSX) to Markdown using MinerU Open API. - Supports both local files and URLs; maximum 10MB or 20 pages per document. - No API key, sign-up, or authentication required. - Preserves text, tables, and document structure; images may be replaced with placeholders. - Fast and privacy-conscious: files are not stored after extraction. - Available as a CLI; install via npm, uv, or go.
● 可疑
安装命令
点击复制官方npx clawhub@latest install word-to-markdown
镜像加速npx clawhub@latest install word-to-markdown --registry https://cn.longxiaskill.com