Back to skill

Security audit

身份证识别OCR

Security checks across malware telemetry and agentic risk

Overview

This ID-card OCR skill is not malicious, but it handles government-ID images and API credentials with too little privacy and storage protection for automatic approval.

Review carefully before installing. Use this only if you trust the XiaoBenYang OCR service with ID-card images and extracted identity fields. Avoid sharing production or third-party identity documents unless you have consent and understand the provider’s retention policy. Prefer setting the API key through a secure environment or secret manager rather than letting the skill write it into a plaintext .env file.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (20)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documentation describes capabilities that imply environment access, file read/write, and network use, but it declares no permissions or trust boundaries. This creates a transparency and review gap: operators and users cannot accurately assess what the skill may access, and sensitive data such as API keys or ID-card images could be handled by components with broader capability than expected.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
The file implements persistent API credential management for an MCP/"gaokao" service rather than configuration narrowly scoped to an ID-card OCR skill. This capability mismatch is dangerous because users of a document-processing skill would not reasonably expect it to read, store, and mutate local secrets, increasing the chance of hidden data handling and privilege overreach.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The presence of remote service endpoint and API-key configuration in an ID OCR skill expands the trust boundary beyond local OCR processing. In this context, unnecessary credentialed network integration creates avoidable exposure of sensitive identity document data and invites misuse if the service or configuration is compromised.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Persisting an API key to a project-local .env file is a real security concern because it creates a long-lived plaintext secret on disk that may be exposed through backups, source-control mistakes, or other local tooling. This is especially suspicious in an OCR skill whose stated function does not require local secret-writing behavior.

Missing User Warnings

High
Confidence
96% confidence
Finding
This skill processes extremely sensitive personal data, including ID-card images, ID numbers, addresses, and issuing authority details, yet provides no privacy notice, retention guidance, or warning that data will be transmitted to an external API. In this context, omission of consent and handling details materially increases the risk of unauthorized disclosure, non-compliant processing, and user harm.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The skill uses mandatory language to force users to provide an API key without presenting alternatives, boundaries, or security guidance. This can pressure users into sharing secrets in an unsafe channel and normalizes secret collection as part of ordinary workflow.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code silently writes the supplied API key into .env without any user-facing notice, creating undisclosed persistent secret storage. This is dangerous because users may believe they are providing a transient credential while the application leaves a plaintext secret on disk for future exposure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
These functions send extremely sensitive personally identifiable information (ID-card images and extracted identity data) to an external API via call_api, but this file provides no explicit consent flow, privacy notice, minimization, or safeguards. In the context of an ID-card OCR skill, this increases the risk of unauthorized collection, unexpected transmission, and regulatory/privacy violations if users or integrators are not clearly informed.

Ssd 3

Medium
Confidence
95% confidence
Finding
The instructions explicitly tell the agent to ask the user for an API key and then store it via configuration, creating a direct secret-collection and secret-storage workflow. In a skill that also uses file and environment capabilities, this raises the risk of credential exposure through logs, prompts, config files, or unintended reuse across sessions.

Ssd 3

High
Confidence
97% confidence
Finding
The skill directs the model to directly display raw OCR output, which may include full name, sex, ethnicity, birth date, address, ID number, issuing authority, and validity dates. Returning raw sensitive fields without masking or minimization substantially increases exposure risk, especially if responses are logged, shared, or shown in insecure contexts.

Credential Access

High
Category
Privilege Escalation
Content
default_year: int = 2025

    def model_post_init(self, __context):
        # 强制从 .env 文件读取 XBY_APIKEY
        env_path = Path(".env")
        if env_path.exists():
            content = env_path.read_text(encoding="utf-8")
Confidence
86% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
def model_post_init(self, __context):
        # 强制从 .env 文件读取 XBY_APIKEY
        env_path = Path(".env")
        if env_path.exists():
            content = env_path.read_text(encoding="utf-8")
            for line in content.splitlines():
Confidence
86% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
def save_api_key_to_env(api_key: str) -> bool:
    """将API key保存到.env文件"""
    try:
        env_path = Path(".env")
        lines = []
        if env_path.exists():
            lines = env_path.read_text(encoding="utf-8").splitlines()
Confidence
92% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
def set_api_key(api_key: str) -> bool:
    """设置API key并持久化到.env"""
    if not api_key or not api_key.strip():
        return False
    api_key = api_key.strip()
Confidence
90% confidence
Finding
.env"

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
95% confidence
Finding
requests>=2.31.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
95% confidence
Finding
pydantic>=2.7.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
94% confidence
Finding
pydantic-settings>=2.2.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
95% confidence
Finding
python-dotenv>=1.0.1

Known Vulnerable Dependency: requests==2.31.0 — 5 advisory(ies): CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi); CVE-2026-25645 (Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility func) +2 more

Medium
Category
Supply Chain
Confidence
92% confidence
Finding
requests==2.31.0

Known Vulnerable Dependency: python-dotenv==1.0.1 — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low
Category
Supply Chain
Confidence
84% confidence
Finding
python-dotenv==1.0.1

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.