Scan Report
5 /100
ocr-pro
Professional-grade OCR for PDFs and images using MinerU
OCR skill wrapping the legitimate MinerU open-source tool via CLI. No code/scripts present—only documentation describing a standard PDF/image text extraction tool with API token authentication.
Safe to install
No action needed. The skill is a thin wrapper over an open-source CLI tool with no hidden functionality.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | READ | READ | ✓ Aligned | SKILL.md: 'Supports local files' |
| Filesystem | WRITE | WRITE | ✓ Aligned | SKILL.md: '-o <dir>' for output |
| Network | READ | READ | ✓ Aligned | SKILL.md: 'From URL' and extract from https:// URLs |
| Shell | WRITE | WRITE | ✓ Aligned | SKILL.md: CLI tool invocation via Bash |
| Environment | READ | READ | ✓ Aligned | SKILL.md: 'MINERU_TOKEN' environment variable |
2 findings
Medium External URL 外部 URL
https://mineru.net SKILL.md:4 Medium External URL 外部 URL
https://mineru.net/apiManage/token SKILL.md:42 File Tree
1 files · 3.1 KB · 58 lines Markdown 1f · 58L
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
mineru-open-api | * | npm/go | No | External CLI tool; implementation not reviewed here |
Security Positives
✓ No executable code—only documentation present
✓ All capabilities explicitly declared in SKILL.md
✓ Uses open-source MinerU project from Shanghai AI Lab (verified GitHub)
✓ API token authentication pattern is standard and secure
✓ No credential harvesting or exfiltration behavior
✓ No suspicious patterns: no base64, no eval, no subprocess chains, no IP connections