doc-to-markdown 安全扫描报告 — 可信 | ClawSafe

5 /100

doc-to-markdown

Convert Word documents (.doc/.docx) to clean Markdown using MinerU's document processing engine

The skill is a thin documentation wrapper for the legitimate mineru-open-api CLI tool. No implementation code exists beyond SKILL.md; all declared capabilities match actual usage patterns.

技能名称doc-to-markdown

分析耗时32.9s

引擎pi

✓

可以安装

Skill is safe to use. No code review needed beyond the external binary.

安全发现 3 项

严重性	安全发现	位置
低危	npm install without version pinning SKILL.md shows 'npm install -g mineru-open-api' without pinning to a specific version. Future malicious versions could be installed. `npm install -g mineru-open-api` → Pin to a specific version: npm install -g [email protected]	`SKILL.md:12`
低危	No code audit trail for external binary The skill delegates all document processing to the external mineru-open-api binary. Any vulnerabilities in that binary are not visible in this skill package. `Built on MinerU by OpenDataLab (Shanghai AI Lab)` → Users should verify the integrity of mineru-open-api from its official GitHub (github.com/opendatalab/MinerU-Ecosystem) before installation	`SKILL.md:1`
提示	API token sent to external service MINERU_TOKEN is sent to mineru.net when extracting .doc files. This is declared and necessary for the service. `export MINERU_TOKEN="your-token"` → Ensure MINERU_TOKEN has minimal scope/permissions. No evidence of exfiltration.	`SKILL.md:43`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`READ`	✓ 一致	SKILL.md: reads .doc/.docx input files
文件系统	`WRITE`	`WRITE`	✓ 一致	SKILL.md: '-o ./out/' writes .md output
网络访问	`READ`	`READ`	✓ 一致	SKILL.md: 'supports local files and URLs'; API calls to mineru.net for .doc extr…
命令执行	`WRITE`	`WRITE`	✓ 一致	SKILL.md: npm/golang install commands; CLI invocations
环境变量	`READ`	`READ`	✓ 一致	SKILL.md: reads MINERU_TOKEN env var for authenticated .doc extraction
技能调用	`NONE`	`NONE`	—	No nested skill invocation declared or observed

2 项发现

🔗

中危外部 URL 外部 URL

https://mineru.net

SKILL.md:4

🔗

中危外部 URL 外部 URL

https://mineru.net/apiManage/token

SKILL.md:45

目录结构

1 文件 · 3.3 KB · 60 行

Markdown 1f · 60L

└─ 📝 SKILL.md Markdown 60L · 3.3 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`mineru-open-api`	`*`	npm/go	否	Version not pinned in SKILL.md; binary executed at runtime

安全亮点

✓ No implementation scripts or code - skill is purely documentation

✓ All declared capabilities (filesystem, network, shell, env) match documented usage

✓ No credential harvesting beyond the service token required for the feature

✓ No base64, eval, curl|bash, or other high-risk patterns detected

✓ No sensitive path access (~/.ssh, ~/.aws, .env) or data exfiltration

✓ Uses standard package managers (npm, go) with official sources

✓ No hidden functionality - SKILL.md fully describes the tool's behavior

✓ Open-source tool (MinerU) with community visibility