ppocrv5

SUSPICIOUS: the OCR purpose aligns with the documented behavior, and there is no strong malware or installer abuse signal. The main issue is data-flow integrity: credentials and document contents are sent to a user-configurable API_URL rather than a pinned official endpoint, so the skill is only safe if operators ensure the URL is an official Paddle/Baidu service.