← Back to Skills Marketplace
951
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install zerox
Description
Convert PDFs, DOCX, PPTX, and images to Markdown using zerox with GPT-4o vision, including OCR for scanned documents.
Usage Guidance
This skill will send your document contents to a remote model provider (via the zerox library). Before installing or running it, consider: 1) Privacy: do not use this on sensitive documents unless you trust the target API (api.apiyi.com or OpenAI endpoints) and its data-retention policy. 2) API key scope: provide a dedicated key with minimal scope or billing limits; storing it in ~/.openclaw/.env is supported by the script but not declared — prefer setting the env var explicitly. 3) README asks you to edit node_modules/zerox/openAI.js to point to api.apiyi.com; editing installed package code is unusual and increases risk — review that file to confirm where requests are sent. 4) Network & dependency risk: installing the 'zerox' npm package will add code that runs network requests; audit dependency versions and source before use. 5) If you need stronger assurance, request the maintainer/source repo, verify the zerox version and its openAI adapter, or run the conversion on a machine without network access to confirm behavior. These items make the skill coherent but worthy of caution.
Capability Analysis
Type: OpenClaw Skill
Name: zerox
Version: 0.1.0
The skill is classified as suspicious due to significant vulnerabilities. The `scripts/convert-bg.mjs` script is vulnerable to shell injection via `osascript` on macOS, as the `filePath` argument is unsanitized when used to construct notification messages, potentially allowing arbitrary command execution. Additionally, both `scripts/convert.mjs` and `scripts/convert-bg.mjs` are vulnerable to arbitrary file writes/path traversal, as the `outputPath` argument is directly used to write files without proper validation, allowing an attacker to specify locations outside the intended output directory. The skill also accesses `~/.openclaw/.env` to retrieve an API key, which, while intended and documented, highlights its ability to read user configuration files.
Capability Assessment
Purpose & Capability
The name/description (convert PDFs/DOCX/PPTX/images to Markdown using zerox and GPT-4o vision) matches the included scripts and package dependency on 'zerox'. Requiring node and an API key for an external model gateway (APIYI_API_KEY) is consistent with calling a hosted model provider.
Instruction Scope
The runtime scripts do more than just run a converter: they will read an API key from process.env.APIYI_API_KEY or attempt to read ~/.openclaw/.env if the env var is absent (this config path was not declared in the registry metadata). The scripts upload document content to a remote model provider (via zerox), which means your documents will be transmitted off-machine; this privacy-affecting behavior is not emphasized in SKILL.md. README additionally instructs modifying the zerox package's openAI.js to point to https://api.apiyi.com/v1 — modifying node_modules is unusual and increases risk.
Install Mechanism
There is no registry install spec. package.json depends on 'zerox' (npm). README instructs running npm install and editing node_modules to change endpoints. Installing a third-party npm package is a normal step, but the README's suggestion to edit dependency source code (openAI.js) to use a third-party gateway increases the attack surface and is atypical.
Credentials
Only a single credential (APIYI_API_KEY) is required, which is proportionate for a gateway to a model provider. However, the code will read that key either from the environment or from ~/.openclaw/.env (not declared as a required config path). Also, that key will grant the skill the ability to send arbitrary document contents to the remote API, so its scope is sensitive and should be treated as high-privilege for data exfiltration concerns.
Persistence & Privilege
The skill does not set always:true, does not modify other skills or system-wide settings, and only writes logs and output into its own output directory. It does spawn detached background processes and issues macOS notifications (osascript), which are expected for a background converter and are scoped to the skill directory.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install zerox - After installation, invoke the skill by name or use
/zerox - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.0
Initial release of zerox document converter
- Convert PDF, DOCX, PPTX, and image files to Markdown using the zerox library
- Supports both scanned (OCR) and text-based documents via GPT-4o vision
- Includes scripts for quick (foreground) and large file (background) conversion
- Background conversion supports progress logging and macOS notifications
- Requires node and an APIYI_API_KEY environment variable for operation
Metadata
Frequently Asked Questions
What is Zerox?
Convert PDFs, DOCX, PPTX, and images to Markdown using zerox with GPT-4o vision, including OCR for scanned documents. It is an AI Agent Skill for Claude Code / OpenClaw, with 951 downloads so far.
How do I install Zerox?
Run "/install zerox" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Zerox free?
Yes, Zerox is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Zerox support?
Zerox is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Zerox?
It is built and maintained by otacu (@otacu); the current version is v0.1.0.
More Skills