Scan Report
5 /100
photo-ocr
OCR for photos and images using MinerU. Extract text from photographs, screenshots, camera captures, and image files with high accuracy.
This is a documentation-only skill that wraps a legitimate CLI tool (mineru-open-api) for OCR operations. No malicious code or suspicious behavior detected.
Safe to install
This skill is safe to use. Ensure the mineru-open-api binary is from the official source and review MINERU_TOKEN scope before production use.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | READ | READ | ✓ Aligned | SKILL.md metadata declares mineru-open-api binary requirement |
| Network | READ | READ | ✓ Aligned | flash-extract accepts URLs (line 21), documented feature |
| Shell | WRITE | WRITE | ✓ Aligned | CLI tool invocation via Bash is documented |
2 findings
Medium External URL 外部 URL
https://mineru.net SKILL.md:4 Medium External URL 外部 URL
https://mineru.net/apiManage/token SKILL.md:51 File Tree
1 files · 3.6 KB · 68 lines Markdown 1f · 68L
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
mineru-open-api | latest | npm/go | No | External CLI tool - binary required, install from official npm/go registries |
Security Positives
✓ Documentation-only skill with no executable code
✓ Clear description of tool capabilities and limitations
✓ Authentication requirements properly documented (MINERU_TOKEN for extract, none for flash-extract)
✓ No credential harvesting or exfiltration behavior
✓ External dependencies (mineru-open-api) declared in metadata
✓ Output directory specification is explicit and user-controlled
✓ No base64, eval, or dynamic code execution patterns
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)