mineru

SUSPICIOUS. The core document-extraction behavior is aligned with the stated purpose, but the trust model is weak: it relies on a remotely executed installer from a CDN and then sends user documents and API tokens through that external CLI. The functionality is coherent, yet the install path and credential forwarding make the skill high-risk unless the binary and installer are independently verified as official and open-source.