by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill appears to be a DocMind client, but the package metadata is incomplete and some instructions are inconsistent. Before installing or running it:
- Do not provide long-lived root Alibaba credentials blindly. Use least-privilege keys or temporary STS tokens.
- Expect the code to read credentials from the environment or the SDK credential chain (ALICLOUD_ACCESS_KEY_ID / ALICLOUD_ACCESS_KEY_SECRET and optional ALICLOUD_REGION_ID). The registry metadata should be updated to declare these...详细分析 ▾
⚠ 用途与能力
The skill's name and description match the code and SKILL.md: it submits and polls DocMind jobs. However, the published registry metadata declares no required environment variables or primary credential even though both SKILL.md and scripts use Alibaba Cloud credentials (ALICLOUD_ACCESS_KEY_ID / ALICLOUD_ACCESS_KEY_SECRET and optionally ALICLOUD_REGION_ID). This mismatch between claimed requirements and what the code actually needs is a notable inconsistency.
ℹ 指令范围
Runtime instructions are mostly scoped to submitting jobs, polling results, and saving outputs (expected for a document-parsing provider). But there are small inconsistencies: SKILL.md shows constructing the endpoint dynamically using regionId, but scripts/quickstart.js hardcodes the endpoint to 'docmind-api.cn-hangzhou.aliyuncs.com' (ignoring regionId). The validation step runs a py_compile loop over *.py files (this repo contains only JS), which is irrelevant and suggests sloppy packaging. Otherwise the instructions do not attempt to read unrelated system files or exfiltrate data beyond normal API calls.
ℹ 安装机制
There is no install spec (instruction-only), which is lower risk. The SKILL.md instructs users to npm install specific @alicloud packages — this is expected for a Node.js SDK client. Because installation is manual (no automatic arbitrary URL downloads), install risk is moderate but typical for SDK-based skills. Verify the npm package publishers before installation.
⚠ 凭证需求
The code and SKILL.md require Alibaba Cloud credentials (access key ID/secret and optional region). The skill metadata, however, lists no required env vars or primary credential. This omission is significant: users may not realize they must provide cloud credentials, and the skill will read the credential provider chain at runtime. Also note the script reads DOCMIND_FILE_URL and will POST/GET network resources and write output files — those behaviors are proportional to the purpose but users should be explicit about what credentials and files they supply.
✓ 持久化与权限
The skill does not request permanent 'always' inclusion, does not declare elevated platform privileges, and does not modify other skills' configurations. It only writes artifacts to its own output directory as instructed in SKILL.md, which is expected for evidence and result storage.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.22026/2/11
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install alicloud-ai-text-document-mind
镜像加速npx clawhub@latest install alicloud-ai-text-document-mind --registry https://cn.longxiaskill.com