PaddleOCR Document Parsing V2

Parse documents using PaddleOCR's API. Supports both sync and async modes for images and PDFs.

This skill appears to be what it claims: a client that uploads a local file (base64-encoded) or references a URL and sends it to whatever PADDLEOCR_API_URL or PADDLEOCR_JOB_URL you configure. Before installing, verify the endpoint URL you set is an official/trusted PaddleOCR endpoint (the skill will send your document contents and token to that URL). Ensure the Python 'requests' package is available if you plan to use async mode. Be aware of the differing Authorization header formats used by sync vs async paths and confirm which your endpoint expects. Run the tool in an isolated environment if you will upload sensitive documents, and consider rotating the API token if you share it with third-party services. If you need the skill to manage dependencies automatically or want stricter metadata, request the author add an explicit dependency declaration for Python packages and harmonize the env metadata with the documented optional variables.

Type: OpenClaw Skill Name: paddleocr-doc-parsing-v2 Version: 1.0.4 The skill is classified as suspicious due to a critical shell injection vulnerability found in `scripts/paddleocr_parse.sh`. The script uses `cat "$input_file"` to read local files for base64 encoding. If the `input_file` argument is controlled by an attacker (e.g., via prompt injection against the agent), a crafted string like `"; malicious_command; #.jpg"` could lead to arbitrary command execution. While the Python script (`scripts/paddleocr_parse.py`) handles file paths securely, the shell script's vulnerability poses a significant risk. The skill's core functionality of interacting with the PaddleOCR API, including reading local files and fetching remote URLs, is otherwise aligned with its stated purpose.