← 返回 Skills 市场
951
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install zerox
功能描述
Convert PDFs, DOCX, PPTX, and images to Markdown using zerox with GPT-4o vision, including OCR for scanned documents.
安全使用建议
This skill will send your document contents to a remote model provider (via the zerox library). Before installing or running it, consider: 1) Privacy: do not use this on sensitive documents unless you trust the target API (api.apiyi.com or OpenAI endpoints) and its data-retention policy. 2) API key scope: provide a dedicated key with minimal scope or billing limits; storing it in ~/.openclaw/.env is supported by the script but not declared — prefer setting the env var explicitly. 3) README asks you to edit node_modules/zerox/openAI.js to point to api.apiyi.com; editing installed package code is unusual and increases risk — review that file to confirm where requests are sent. 4) Network & dependency risk: installing the 'zerox' npm package will add code that runs network requests; audit dependency versions and source before use. 5) If you need stronger assurance, request the maintainer/source repo, verify the zerox version and its openAI adapter, or run the conversion on a machine without network access to confirm behavior. These items make the skill coherent but worthy of caution.
功能分析
Type: OpenClaw Skill
Name: zerox
Version: 0.1.0
The skill is classified as suspicious due to significant vulnerabilities. The `scripts/convert-bg.mjs` script is vulnerable to shell injection via `osascript` on macOS, as the `filePath` argument is unsanitized when used to construct notification messages, potentially allowing arbitrary command execution. Additionally, both `scripts/convert.mjs` and `scripts/convert-bg.mjs` are vulnerable to arbitrary file writes/path traversal, as the `outputPath` argument is directly used to write files without proper validation, allowing an attacker to specify locations outside the intended output directory. The skill also accesses `~/.openclaw/.env` to retrieve an API key, which, while intended and documented, highlights its ability to read user configuration files.
能力评估
Purpose & Capability
The name/description (convert PDFs/DOCX/PPTX/images to Markdown using zerox and GPT-4o vision) matches the included scripts and package dependency on 'zerox'. Requiring node and an API key for an external model gateway (APIYI_API_KEY) is consistent with calling a hosted model provider.
Instruction Scope
The runtime scripts do more than just run a converter: they will read an API key from process.env.APIYI_API_KEY or attempt to read ~/.openclaw/.env if the env var is absent (this config path was not declared in the registry metadata). The scripts upload document content to a remote model provider (via zerox), which means your documents will be transmitted off-machine; this privacy-affecting behavior is not emphasized in SKILL.md. README additionally instructs modifying the zerox package's openAI.js to point to https://api.apiyi.com/v1 — modifying node_modules is unusual and increases risk.
Install Mechanism
There is no registry install spec. package.json depends on 'zerox' (npm). README instructs running npm install and editing node_modules to change endpoints. Installing a third-party npm package is a normal step, but the README's suggestion to edit dependency source code (openAI.js) to use a third-party gateway increases the attack surface and is atypical.
Credentials
Only a single credential (APIYI_API_KEY) is required, which is proportionate for a gateway to a model provider. However, the code will read that key either from the environment or from ~/.openclaw/.env (not declared as a required config path). Also, that key will grant the skill the ability to send arbitrary document contents to the remote API, so its scope is sensitive and should be treated as high-privilege for data exfiltration concerns.
Persistence & Privilege
The skill does not set always:true, does not modify other skills or system-wide settings, and only writes logs and output into its own output directory. It does spawn detached background processes and issues macOS notifications (osascript), which are expected for a background converter and are scoped to the skill directory.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install zerox - 安装完成后,直接呼叫该 Skill 的名称或使用
/zerox触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.0
Initial release of zerox document converter
- Convert PDF, DOCX, PPTX, and image files to Markdown using the zerox library
- Supports both scanned (OCR) and text-based documents via GPT-4o vision
- Includes scripts for quick (foreground) and large file (background) conversion
- Background conversion supports progress logging and macOS notifications
- Requires node and an APIYI_API_KEY environment variable for operation
元数据
常见问题
Zerox 是什么?
Convert PDFs, DOCX, PPTX, and images to Markdown using zerox with GPT-4o vision, including OCR for scanned documents. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 951 次。
如何安装 Zerox?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install zerox」即可一键安装,无需额外配置。
Zerox 是免费的吗?
是的,Zerox 完全免费(开源免费),可自由下载、安装和使用。
Zerox 支持哪些平台?
Zerox 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Zerox?
由 otacu(@otacu)开发并维护,当前版本 v0.1.0。
推荐 Skills