mineru

The script does not contain clear malicious code patterns (no exec/eval, shells, or persistence), but it intentionally uploads local files to a remote service and downloads/extracts archives without sanitization. The main security issues are: (1) potential sensitive data exfiltration if used on confidential files or with a leaked token; (2) unsafe ZIP extraction (zip-slip / path traversal and lack of size/entry limits) from untrusted server responses. If you trust MinerU and control input files, the tool appears functional for its purpose. If you do not fully trust the service or network, do not run this on sensitive data and modify the code to safely validate archive member paths and enforce extraction limits.

The package is a legitimate client for a remote document-parsing SaaS: it uploads local documents to MinerU and saves parsed outputs. The primary security concern is sensitive-data exposure because full documents are sent to a third-party service and outputs can be written into cloud-synced locations. No clear signs of malware or intentional obfuscation are present in the README, but critical implementation details (exact endpoints, TLS/cert handling, telemetry) are missing and must be inspected in the actual code before using the tool on sensitive materials. Treat as functional but privacy-sensitive; audit implementation and vendor privacy practices prior to use in confidential contexts.