Back to skill

Security audit

护照识别OCR

Security checks across malware telemetry and agentic risk

Overview

This passport OCR skill appears purpose-aligned, but it warrants review because it sends highly sensitive passport data to a third-party API and stores the API key in a local .env file.

Install only if you are comfortable sending passport images or image URLs to Xiaobenyang's OCR API. Use a dedicated API key with limited exposure, avoid processing passports without the subject's permission, and treat the generated .env file as a plaintext secret that should not be committed, shared, or left in broad-access directories.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (19)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill requires capabilities consistent with environment access, file read/write, and network use, but does not declare them. This weakens transparency and permission review, making it harder for users or the platform to understand that passport images and API keys may be read, stored, and transmitted externally. In a document-processing skill handling highly sensitive identity data, undocumented capabilities increase the risk of silent data exposure or overbroad access.

Intent-Code Divergence

Medium
Confidence
78% confidence
Finding
The workflow example instructs the model to call an unrelated function (`search_schools`) instead of the passport OCR tool. Mismatched operational guidance can cause incorrect tool invocation, accidental data disclosure to the wrong workflow, or unsafe handling of passport data because the routing instructions are unreliable. In an agentic skill, inaccurate tool-routing documentation is a security-relevant integrity issue, not just a quality problem.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The config class docstring refers to a different skill domain (高考) than the declared passport OCR skill, indicating code reuse or repurposing without proper review. In security-sensitive skills that handle identity documents and API credentials, this mismatch is a strong signal that the shipped code may not match the advertised function and may hide unrelated behavior.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This file primarily implements external API credential loading, overriding, and persistence rather than passport OCR logic. That scope mismatch is dangerous because users invoking an OCR skill would not reasonably expect local secret management behavior, increasing the risk of undisclosed credential collection and persistence.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill can write an API key into a local .env file and mutate the running process environment, which is unrelated to passport OCR itself. In the context of a document-processing skill, this broadens impact from image parsing to local secret persistence and environment tampering, creating unnecessary exposure of sensitive credentials.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill instructs sending passport images or base64-encoded passport data to an external OCR API without any privacy notice, consent flow, retention statement, or handling limitations. Passport images contain highly sensitive identity information, so undocumented third-party transmission materially raises the risk of privacy violations, regulatory noncompliance, and long-term exposure if the provider stores or reuses submitted data.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code persists the provided API key to .env without any user-facing warning, consent, or visibility into storage location and retention. This is dangerous because users may believe they are providing a temporary credential, while the skill silently creates a recoverable local secret artifact.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This function sends passport image data to an external API for OCR, which involves highly sensitive personal data including passport number, name, nationality, and birth date. The file provides no notice, consent flow, minimization, or handling guarantees, so users or downstream callers may transmit regulated identity data without understanding the privacy and compliance implications.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This function transmits a base64-encoded passport image to an external API, which still constitutes sending raw passport data off-system. Because passport scans are extremely sensitive identity documents, missing disclosure, consent, and data-handling safeguards increases privacy, legal, and breach impact if the API, logs, or intermediaries are compromised.

Credential Access

High
Category
Privilege Escalation
Content
default_year: int = 2025

    def model_post_init(self, __context):
        # 强制从 .env 文件读取 XBY_APIKEY
        env_path = Path(".env")
        if env_path.exists():
            content = env_path.read_text(encoding="utf-8")
Confidence
96% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
def model_post_init(self, __context):
        # 强制从 .env 文件读取 XBY_APIKEY
        env_path = Path(".env")
        if env_path.exists():
            content = env_path.read_text(encoding="utf-8")
            for line in content.splitlines():
Confidence
96% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
def save_api_key_to_env(api_key: str) -> bool:
    """将API key保存到.env文件"""
    try:
        env_path = Path(".env")
        lines = []
        if env_path.exists():
            lines = env_path.read_text(encoding="utf-8").splitlines()
Confidence
99% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
def set_api_key(api_key: str) -> bool:
    """设置API key并持久化到.env"""
    if not api_key or not api_key.strip():
        return False
    api_key = api_key.strip()
Confidence
98% confidence
Finding
.env"

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
93% confidence
Finding
requests>=2.31.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
93% confidence
Finding
pydantic>=2.7.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
92% confidence
Finding
pydantic-settings>=2.2.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
92% confidence
Finding
python-dotenv>=1.0.1

Known Vulnerable Dependency: requests==2.31.0 — 5 advisory(ies): CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi); CVE-2026-25645 (Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility func) +2 more

Medium
Category
Supply Chain
Confidence
95% confidence
Finding
requests==2.31.0

Known Vulnerable Dependency: python-dotenv==1.0.1 — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low
Category
Supply Chain
Confidence
82% confidence
Finding
python-dotenv==1.0.1

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.