Security audit

Document Ocr Agent

Security checks across malware telemetry and agentic risk

Overview

This is a coherent remote OCR skill, but users should treat submitted documents as sensitive because they are processed through AgentPMT and Google Document AI.

Install only if you are comfortable sending selected documents, URLs, or AgentPMT file IDs to a remote OCR service. Avoid or redact passports, driver's licenses, tax forms, bank statements, medical records, and other regulated documents unless you are authorized to process them, and use only one input source per request despite the malformed generated examples.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Intent-Code Divergence

Low

Confidence: 93% confidence
Finding: The skill repeatedly states that exactly one of `file_urls`, `file_ids`, or `content_base64` must be provided, but the sample MCP/REST payloads include all three at once. This kind of contradictory guidance can cause downstream agents or users to submit invalid requests, potentially triggering unintended uploads of local content, remote URLs, and cloud file references together and increasing accidental data disclosure to the remote OCR service.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill describes OCR functionality but does not clearly warn that supplied documents, file IDs, and URLs are transmitted to AgentPMT and then processed by Google Document AI, which is a third-party remote service. For a tool intended to handle receipts, invoices, IDs, and scanned documents, lack of explicit disclosure materially increases the risk of users sending sensitive data off-platform without informed consent.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill actively encourages processing passports, driver's licenses, W-2s, W-9s, bank statements, and medical records but omits strong handling warnings for these highly sensitive document classes. In this context, the omission is dangerous because these files commonly contain SSNs, account numbers, addresses, DOBs, and other regulated personal data that may be exposed through remote processing, logs, or misrouted agent workflows.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: This skill processes PDFs, images, IDs, invoices, bank statements, tax forms, and other potentially sensitive documents through a remote OCR service, but the schema text does not warn users that document contents are transmitted to an external processor. In this context, the omission increases the risk of inadvertent disclosure of PII, financial data, or regulated documents because users may submit sensitive material without understanding the external data flow.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal