支持PDF、Word、Markdown智能摘要和格式转换,提供批量处理与进度报告,提升文档处理效率。
Security Analysis
high confidenceThe skill largely matches its document-processing purpose, but contains undocumented network/billing logic and a hard-coded billing API key that do not align with the published description or metadata — review before use.
The name/description and most code files implement PDF/Word/Markdown summarization and conversion, which is coherent. However, a bundled 'paid' variant (scripts/doc_processor_paid.py) includes SkillPay billing integration (skillpay.me) and an embedded BILLING_API_KEY and SKILL_ID that are not mentioned in SKILL.md or registry metadata. The presence of billing code in a tool advertised as a free document processor is unexpected and should be justified.
SKILL.md instructs running scripts/doc_processor.py and references OPENAI_API_KEY for AI summarization. It does not mention the paid script or any billing/remote calls. The codebase includes additional scripts (doc_processor_paid.py and v2) that import 'requests' and contact external endpoints; this expands runtime actions beyond the documented instructions and the user-visible examples.
No install spec downloads arbitrary code; this is an instruction-and-source bundle. Dependencies are local Python packages (PyPDF2, python-docx, markdown, beautifulsoup4) and no external installers or archive downloads are used.
Registry metadata declares no required environment variables, but SKILL.md and code reference OPENAI_API_KEY for AI summarization (expected). More concerning: scripts/doc_processor_paid.py hard-codes a BILLING_API_KEY and a user-specific VENV_PYTHON path. A billing API key embedded in code is disproportionate and sensitive; the skill also performs network calls to billing endpoints without documenting them in metadata or instructions.
The skill does not request always:true, does not claim to modify other skills, and appears to run as user-invoked scripts. No elevated persistence or automatic always-on behavior is present in the metadata.
Guidance
This skill's core document-processing code appears legitimate, but there are important red flags you should address before installing or running it: (1) The package includes a 'paid' script that contacts an external billing service (skillpay.me) and contains a hard-coded billing API key — treat that key as sensitive and avoid running that script until you confirm its legitimacy. (2) The registry metadata does not declare environment variables (OPENAI_API_KEY) referenced in the docs; expect to provide your OpenAI key if you plan to use AI summarization. (3) Run the code in a restricted environment (container or sandbox) and inspect or remove the paid script if you do not intend to use billing. (4) Ask the author for provenance: where the hard-coded billing key came from, why billing is bundled but undocumented, and for a version without embedded secrets. If you cannot verify the source or the billing integration, do not run the paid script and consider rejecting this skill.
Latest Release
v1.2.0
优化:完整TextRank算法、智能降级策略、关键词提取增强、错误处理优化
More by @imgolye
Published by @imgolye on ClawHub
