Document extraction API by Nanonets. Convert PDFs and images to markdown, JSON, or CSV with confidence scoring. Use when you need to OCR documents, extract invoice fields, parse receipts, or convert tables to structured data.
Security Analysis
medium confidenceThis is an instruction-only OCR skill that coherently uses an external Nanonets-style API and requires an API key; metadata inconsistencies (manifest vs registry) warrant caution but do not indicate malicious behavior.
The skill's name and SKILL.md describe an OCR/document-extraction service and all runtime examples call an external extraction API — requiring an API key for that service is expected. Minor inconsistency: registry metadata at the top reports no required env vars, but the included package.json and SKILL.md clearly request DOCSTRANGE_API_KEY.
SKILL.md contains explicit curl examples and configuration guidance limited to sending documents to the documented extraction endpoints and storing an API key. It does not instruct the agent to read unrelated files, system secrets, or exfiltrate data to unknown endpoints. Note: the documented behavior necessarily transmits document content (potentially sensitive) to the external API.
No install spec and no code files that would be executed; the skill is instruction-only, which minimizes disk-written code risk.
Only one credential (DOCSTRANGE_API_KEY) is required per package.json and SKILL.md — appropriate for a hosted OCR API. However, registry metadata in the skill summary stated 'Required env vars: none', which contradicts the package.json's openclaw.requiredEnv and primaryEnv entries; this mismatch should be resolved before trusting automated configuration.
always is false and there is no request to modify other skills or system-wide agent settings. The skill may be invoked autonomously (platform default), which is expected for a user-invocable skill.
Guidance
This skill appears to do what it says: it sends documents to an external document-extraction API and requires a DOCSTRANGE_API_KEY. Before installing: (1) confirm the API key comes from a legitimate provider (check the real homepage/policy for Nanonets or DocStrange); (2) avoid sending highly sensitive PII or secrets to the service unless you trust its privacy/security policy; (3) prefer storing the API key in your agent's secret store or environment variables (not in plaintext ~/.openclaw/openclaw.json); (4) resolve the metadata mismatch (registry says no env vars while package.json/SKILL.md require DOCSTRANGE_API_KEY) — that may be a packaging error; and (5) if you need higher assurance, ask the publisher for a source repository or official homepage before enabling the skill.
Latest Release
v1.0.2
- Added detailed recommendations to use environment variables for API key management, with security precautions for storing keys in configuration files. - Introduced a new Security & Privacy section covering data handling, privacy policy review, PII guidance, API key handling, compliance, and operational safeguards. - Included best practices for limiting permissions, rotating API keys, and monitoring usage. - Documented file size limits and advice on endpoint usage for large documents. - Updated and expanded instructions and notes for improved security and operational rigor. - No functional changes to the API or code itself; documentation and instructions only.
Popular Skills
Published by @shhdwi on ClawHub
