Official skill for recognizing and extracting mathematical formulas from images and PDFs into LaTeX format using ZhiPu GLM-OCR API. Supports complex equation...
Security Analysis
high confidenceThe skill's requirements, instructions, and bundled script are consistent with its stated purpose of calling the ZhiPu GLM‑OCR layout parsing API to extract formulas; nothing requests unrelated credentials or reaches unknown endpoints.
The skill is explicitly an OCR→LaTeX wrapper around ZhiPu's GLM‑OCR API. The declared env vars (ZHIPU_API_KEY, GLM_OCR_TIMEOUT) and the primaryEnv match that purpose. No unrelated binaries, config paths, or extra credentials are requested.
SKILL.md instructs the agent to run the included Python CLI and to only use the official GLM‑OCR API. It requires reading user-supplied local files (encoded as base64) or URLs — appropriate for OCR. The doc's strict 'no fallback' and 'only use API' rules are unusual but coherent with the author's intent and the code. The skill does not instruct reading other system files or environment variables beyond those declared.
There is no install spec (instruction-only plus an included script). The bundled script uses the widely used 'requests' package and exits with an informative message if it's missing. No downloads from untrusted URLs or archive extraction are present.
Only ZHIPU_API_KEY (primary) and an optional GLM_OCR_TIMEOUT are required — both justified. The script sends the key to the documented official endpoint (https://open.bigmodel.cn/api/paas/v4/layout_parsing). No unrelated secrets or multiple service credentials are requested.
The skill is not always-enabled and does not request elevated or persistent system privileges. It does not modify other skills or system-wide configs. Autonomous invocation is allowed but is the platform default and not combinated with other red flags.
Guidance
This skill appears to do what it says: it calls ZhiPu's GLM‑OCR service using the ZHIPU_API_KEY you provide. Before installing, consider: (1) only provide a Zhipu API key you trust to use with this skill (or a dedicated key for isolation); (2) the script will read any local file you give it and include its contents (base64) in the API request — do not pass sensitive local files (private keys, secrets, personal documents) you don't want sent to the OCR service; (3) the SKILL.md forbids local fallback parsing — if the API is down the skill will stop per instructions; (4) ensure the execution environment has Python and the 'requests' package available or install it yourself. If you want tighter control, create a Zhipu API key with limited scope/quota or only run the script on files you explicitly approve.
Latest Release
v1.0.4
- No user-visible changes; this version contains no updates to code or documentation. - All features, behavior, and documentation remain unchanged from the previous version.
More by @jaredforreal
Published by @jaredforreal on ClawHub
