Product Doc Reader

产品工程图纸结构化提取器 v5.0。pdftotext 优先 + Vision 兜底，支持软连字符清理/跨行关联/数据校验。专为 Farreach 线材产品图纸设计。

What to consider before installing/running: - Expect this to run code: the package includes multiple Python scripts (extract_hybrid.py, extract_vision.py, batch_process_drive.py). Review those scripts before running. Search them for network calls (requests, urllib, openai/openrouter SDKs, googleapiclient, sockets) and any hardcoded endpoints. - Credentials mismatch: the docs mention Vision (Gemini/OpenRouter) and Google Drive operations but the manifest does not declare required API keys. If you run the scripts, they may look for API keys in your environment, local config, or attempt to prompt/use CLI tools — be cautious about providing secrets. - Sandbox first: run the tool offline or in a VM/container without network access (or with network blocked) to confirm local-only behavior when you only want pdftotext-based extraction. Then enable network only after you’ve inspected code and configured minimal, scoped credentials. - Inspect batch_process_drive.py carefully: it may upload or delete files on Drive. If you use it, ensure it targets a test Drive account or that you understand exactly what it will read/write. - If you need Vision fallback, prefer creating a dedicated, limited-scope API key/account and monitor outgoing traffic. Consider replacing or instrumenting the script calls to OpenRouter/OpenAI to log endpoints and data before sending. - If you’re not comfortable auditing Python code, ask the maintainer for a short summary of what external endpoints the scripts call, and for a minimal configuration example that shows required env vars and where outputs are sent. If you provide the content of scripts/extract_hybrid.py and batch_process_drive.py I can do a targeted review and point to exact lines that perform network or Drive/OpenRouter calls.

Type: OpenClaw Skill Name: ssa-product-doc-reader Version: 1.0.0 The skill bundle contains significant security vulnerabilities, most notably a hardcoded OpenRouter API key in `scripts/extract_hybrid.py` and `scripts/extract_vision.py`, which is a critical credential leak. Furthermore, several scripts (including `scripts/extract_drawing.py` and `scripts/batch_599.py`) utilize `subprocess.run` to execute system commands with unsanitized file paths, posing a high risk of shell injection. While the code's functionality appears consistent with its stated purpose of extracting data from engineering drawings, the combination of hardcoded secrets, poor input sanitization, and the transmission of document data to third-party APIs (OpenRouter and Bailian) represents a high risk to the user's environment.