← Back to Skills Marketplace
694
Downloads
0
Stars
3
Active Installs
1
Versions
Install in OpenClaw
/install ucloud-deepseek-ocr
Description
OCR text recognition using DeepSeek-OCR model. Use when user asks for OCR, text recognition, image text extraction, screenshot recognition, or converting ima...
Usage Guidance
This script mostly does what the skill claims (encode an image and call a remote OCR model) but has a few red flags: 1) The SKILL.md path ({baseDir}/scripts/ocr.sh) does not match the provided file (script/ocr.sh) — verify the correct path before running. 2) The script sources ~/.openclaw-env if present; avoid running it if that file might contain untrusted commands or secrets. Consider opening that file to inspect its contents, or run the script in a controlled environment (container or sandbox). 3) Confirm you trust the API host (https://api.modelverse.cn by default) before providing DEEPSEEK_OCR_API_KEY. 4) If you want the key stored in ~/.openclaw/openclaw.json as documented, understand the script will not read that file unless you modify it. If you are not comfortable with these issues, request a corrected SKILL.md and/or a version of the script that reads a specified config file (without sourcing) or accepts the API key via an explicit argument or a securely-loaded env var.
Capability Analysis
Type: OpenClaw Skill
Name: ucloud-deepseek-ocr
Version: 1.0.0
The skill is classified as suspicious due to multiple shell injection vulnerabilities in `script/ocr.sh`. The `API_URL` variable is used unquoted in the `curl` command, allowing for arbitrary `curl` argument injection if an attacker controls the `DEEPSEEK_OCR_API_URL` environment variable. Additionally, the `IMAGE_PATH` variable is unquoted when passed to `base64` and in file existence checks, posing further shell injection risks. The skill also presents a prompt injection vulnerability against the DeepSeek-OCR model via the `output_format` parameter, allowing an attacker to manipulate the AI model's instructions.
Capability Assessment
Purpose & Capability
Name/description, required binaries (curl, jq, base64), and the single API key align with an OCR integration that sends base64 images to a remote model. However there are small mismatches: SKILL.md examples reference {baseDir}/scripts/ocr.sh while the repository provides script/ocr.sh (singular), and SKILL.md documents storing the key in ~/.openclaw/openclaw.json while the script actually sources ~/.openclaw-env. These inconsistencies may cause confusion or breakage.
Instruction Scope
The runtime script behaves as expected for OCR (base64-encodes local images and posts to the model API). But it unconditionally sources ~/.openclaw-env if present. Sourcing a user file can execute arbitrary shell commands and may load unrelated environment variables; that is broader scope than necessary for OCR and is a potential local-execution risk. The script also prints an instruction telling the user to 'source ~/.openclaw-env', reinforcing this dependency even though the SKILL.md suggests a different config location.
Install Mechanism
Instruction-only skill with no install spec; no external downloads or archive extraction. This is the lower-risk installation pattern.
Credentials
Only DEEPSEEK_OCR_API_KEY is declared as required (appropriate for a remote OCR API). However the script optionally reads DEEPSEEK_OCR_API_URL (mentioned in SKILL.md but not listed as required) and sources ~/.openclaw-env, which could contain many unrelated secrets. Sourcing a file increases the chance that unrelated credentials or commands are executed or used, so the effective environment access is broader than declared.
Persistence & Privilege
Skill does not request always:true and does not modify other skills or system settings. It runs as an on-demand script, so no elevated persistence is requested.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install ucloud-deepseek-ocr - After installation, invoke the skill by name or use
/ucloud-deepseek-ocr - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release with major refactor and feature change:
- Fully replaced previous Meta AI Search functionality with DeepSeek-OCR for image text recognition.
- Added bash script ocr.sh for performing OCR on local image files.
- Introduced support for output formats: markdown (default), text, JSON, etc.
- Removed previous documentation and config files for search; new docs focus on OCR usage and API key configuration.
- Requires curl, jq, base64 and a DeepSeek-OCR API key.
Metadata
Frequently Asked Questions
What is ucloud-deepseek-ocr?
OCR text recognition using DeepSeek-OCR model. Use when user asks for OCR, text recognition, image text extraction, screenshot recognition, or converting ima... It is an AI Agent Skill for Claude Code / OpenClaw, with 694 downloads so far.
How do I install ucloud-deepseek-ocr?
Run "/install ucloud-deepseek-ocr" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is ucloud-deepseek-ocr free?
Yes, ucloud-deepseek-ocr is completely free (open-source). You can download, install and use it at no cost.
Which platforms does ucloud-deepseek-ocr support?
ucloud-deepseek-ocr is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created ucloud-deepseek-ocr?
It is built and maintained by qianjunye (@qianjunye); the current version is v1.0.0.
More Skills