← 返回 Skills 市场
694
总下载
0
收藏
3
当前安装
1
版本数
在 OpenClaw 中安装
/install ucloud-deepseek-ocr
功能描述
OCR text recognition using DeepSeek-OCR model. Use when user asks for OCR, text recognition, image text extraction, screenshot recognition, or converting ima...
安全使用建议
This script mostly does what the skill claims (encode an image and call a remote OCR model) but has a few red flags: 1) The SKILL.md path ({baseDir}/scripts/ocr.sh) does not match the provided file (script/ocr.sh) — verify the correct path before running. 2) The script sources ~/.openclaw-env if present; avoid running it if that file might contain untrusted commands or secrets. Consider opening that file to inspect its contents, or run the script in a controlled environment (container or sandbox). 3) Confirm you trust the API host (https://api.modelverse.cn by default) before providing DEEPSEEK_OCR_API_KEY. 4) If you want the key stored in ~/.openclaw/openclaw.json as documented, understand the script will not read that file unless you modify it. If you are not comfortable with these issues, request a corrected SKILL.md and/or a version of the script that reads a specified config file (without sourcing) or accepts the API key via an explicit argument or a securely-loaded env var.
功能分析
Type: OpenClaw Skill
Name: ucloud-deepseek-ocr
Version: 1.0.0
The skill is classified as suspicious due to multiple shell injection vulnerabilities in `script/ocr.sh`. The `API_URL` variable is used unquoted in the `curl` command, allowing for arbitrary `curl` argument injection if an attacker controls the `DEEPSEEK_OCR_API_URL` environment variable. Additionally, the `IMAGE_PATH` variable is unquoted when passed to `base64` and in file existence checks, posing further shell injection risks. The skill also presents a prompt injection vulnerability against the DeepSeek-OCR model via the `output_format` parameter, allowing an attacker to manipulate the AI model's instructions.
能力评估
Purpose & Capability
Name/description, required binaries (curl, jq, base64), and the single API key align with an OCR integration that sends base64 images to a remote model. However there are small mismatches: SKILL.md examples reference {baseDir}/scripts/ocr.sh while the repository provides script/ocr.sh (singular), and SKILL.md documents storing the key in ~/.openclaw/openclaw.json while the script actually sources ~/.openclaw-env. These inconsistencies may cause confusion or breakage.
Instruction Scope
The runtime script behaves as expected for OCR (base64-encodes local images and posts to the model API). But it unconditionally sources ~/.openclaw-env if present. Sourcing a user file can execute arbitrary shell commands and may load unrelated environment variables; that is broader scope than necessary for OCR and is a potential local-execution risk. The script also prints an instruction telling the user to 'source ~/.openclaw-env', reinforcing this dependency even though the SKILL.md suggests a different config location.
Install Mechanism
Instruction-only skill with no install spec; no external downloads or archive extraction. This is the lower-risk installation pattern.
Credentials
Only DEEPSEEK_OCR_API_KEY is declared as required (appropriate for a remote OCR API). However the script optionally reads DEEPSEEK_OCR_API_URL (mentioned in SKILL.md but not listed as required) and sources ~/.openclaw-env, which could contain many unrelated secrets. Sourcing a file increases the chance that unrelated credentials or commands are executed or used, so the effective environment access is broader than declared.
Persistence & Privilege
Skill does not request always:true and does not modify other skills or system settings. It runs as an on-demand script, so no elevated persistence is requested.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install ucloud-deepseek-ocr - 安装完成后,直接呼叫该 Skill 的名称或使用
/ucloud-deepseek-ocr触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release with major refactor and feature change:
- Fully replaced previous Meta AI Search functionality with DeepSeek-OCR for image text recognition.
- Added bash script ocr.sh for performing OCR on local image files.
- Introduced support for output formats: markdown (default), text, JSON, etc.
- Removed previous documentation and config files for search; new docs focus on OCR usage and API key configuration.
- Requires curl, jq, base64 and a DeepSeek-OCR API key.
元数据
常见问题
ucloud-deepseek-ocr 是什么?
OCR text recognition using DeepSeek-OCR model. Use when user asks for OCR, text recognition, image text extraction, screenshot recognition, or converting ima... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 694 次。
如何安装 ucloud-deepseek-ocr?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install ucloud-deepseek-ocr」即可一键安装,无需额外配置。
ucloud-deepseek-ocr 是免费的吗?
是的,ucloud-deepseek-ocr 完全免费(开源免费),可自由下载、安装和使用。
ucloud-deepseek-ocr 支持哪些平台?
ucloud-deepseek-ocr 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 ucloud-deepseek-ocr?
由 qianjunye(@qianjunye)开发并维护,当前版本 v1.0.0。
推荐 Skills