Official skill for recognizing and extracting tables from images and PDFs into Markdown format using ZhiPu GLM-OCR API. Supports complex tables, merged cells...
Security Analysis
high confidenceThe skill's code, instructions, and requested environment variables are consistent with its stated purpose (calling ZhiPu's GLM-OCR layout parsing API to extract tables), with only minor hygiene issues to review before use.
The name/description (table OCR via ZhiPu GLM-OCR) match the actual behavior: the script posts images/PDFs to the official open.bigmodel.cn layout_parsing endpoint using ZHIPU_API_KEY. One minor inconsistency: the registry metadata lists no required binaries/dependencies, but the skill requires a Python runtime and the 'requests' package (the CLI exits with an error if requests isn't installed).
SKILL.md instructs the agent to run the provided Python CLI against an official fixed endpoint and explicitly prohibits local fallback table-parsing or sending data to other endpoints. The instructions reference only relevant env vars (ZHIPU_API_KEY, GLM_OCR_TIMEOUT) and the script's CLI parameters; they do not instruct reading unrelated files or credentials.
No install spec or external downloads are used; the skill is instruction + small script. The script depends on the 'requests' package but there is no install step declared—this is low risk but a missing dependency declaration (pip/requirements) should be addressed.
Only ZHIPU_API_KEY (primary credential) and an optional GLM_OCR_TIMEOUT are requested; both are directly required for calling the upstream API. No unrelated secrets or config paths are requested.
The skill does not request persistent/always installation and does not modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) and is not combined with other red flags.
Guidance
This skill appears to do what it says: it uploads images/PDFs to ZhiPu's GLM-OCR layout_parsing API and returns Markdown table output. Before installing: (1) Be aware that image/document contents are sent to a third-party API (open.bigmodel.cn) — do not send sensitive data unless you're comfortable with that service. (2) The script requires Python and the 'requests' package but the registry metadata didn't list those dependencies — ensure your environment has Python and install requests (pip install requests). (3) The script encodes local files as base64 data URIs (large files become large JSON payloads); consider file size limits and timeouts (set GLM_OCR_TIMEOUT if needed). (4) The skill recommends reusing a ZHIPU_API_KEY across Zhipu skills — treat your key like any API secret (rotate, limit scope if possible). (5) If you need offline/local OCR or different endpoints, this skill intentionally forbids fallbacks; choose a different tool if you require that behavior. Finally, verify the skill's source/homepage and only provide your API key if you trust that endpoint.
Latest Release
v1.0.3
No file changes detected in this version. There are no functional updates or documentation changes in 1.0.3. - No code or documentation changes since the previous version. - Behavior and usage remain unchanged.
More by @jaredforreal
Published by @jaredforreal on ClawHub
