海运托书智能提取 Shipping Booking Extractor

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed AI document extractor for shipping-booking files, but users should know it sends uploaded document content to configured AI providers.

Install only if you are comfortable sending booking-document text and images to the configured AI provider. Confirm which OpenClaw or environment API key will be used, avoid uploading unrelated or highly sensitive files, and prefer pinned, patched dependency versions for document parsers.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (23)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill declares no explicit permissions, yet its documented behavior uses shell execution, local file access, and environment-derived credentials. This weakens user consent and platform enforcement because the skill can read local files and invoke commands without those capabilities being transparently declared.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The skill claims it only handles booking-related files under narrow trigger conditions, but the documented behavior includes automatically reading local AI credentials and sending document contents to third-party AI services. It also relies on external invocation logic for trigger restrictions rather than enforcing them itself, so unsupported or sensitive files could still be processed and exfiltrated if passed in.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The skill claims it only handles booking-related files, but it sends file contents to external AI providers before verifying the document is actually a booking note. That means arbitrary uploaded documents, including unrelated sensitive business records, can be exfiltrated to third-party services contrary to the stated scope and likely user expectations.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The extractor silently reads credentials from OpenClaw auth-profile files unrelated to the uploaded document-processing task. Accessing unrelated local secrets expands the skill's privilege scope and can cause the skill to use credentials the user did not intend to expose or authorize for this workflow.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The skill description includes broad trigger phrases such as generic extraction/recognition wording, which can cause accidental invocation on unrelated uploads. In this skill's context, mistaken triggering is more dangerous because uploaded business documents may then be sent to external AI providers.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger-condition keyword list contains ambiguous terms like '解析', '识别', and 'extract', which are common in unrelated workflows. Because this skill performs document extraction and external transmission, overly broad activation increases the chance of processing and exposing non-booking sensitive files.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This code transmits extracted document text to external AI providers without an explicit user-facing warning at the point of use. Booking instructions commonly contain names, addresses, shipment details, and trade-sensitive data, so undisclosed outbound transfer creates a significant privacy and confidentiality risk.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The image and PDF paths upload full document images to third-party AI services without explicit disclosure. Visual document uploads can include signatures, stamps, logos, handwritten notes, and other sensitive content beyond extracted text, making the privacy exposure broader than users may expect.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script reads local API tokens from OpenClaw auth profiles without clear disclosure to the user. Even if the tokens are used only for legitimate API calls, silent access to locally stored secrets violates least surprise and increases the sensitivity of the skill's behavior.

External Transmission

Medium

Category: Data Exfiltration
Content: |------|------| | ✅ 推荐 | 在 OpenClaw 中已配置 AI 账号，**自动读取，无需任何操作** | | Anthropic Claude | `export ANTHROPIC_API_KEY=your_key` | | DeepSeek | `export OPENAI_API_KEY=your_key` `export OPENAI_BASE_URL=https://api.deepseek.com/v1` | | 通义千问 | `export OPENAI_API_KEY=your_key` `export OPENAI_BASE_URL=https://dashscope.aliyuncs.com/compatible-mode/v1` | | Kimi | `export OPENAI_API_KEY=your_key` `export OPENAI_BASE_URL=https://api.moonshot.cn/v1` | | 智谱 GLM | `export OPENAI_API_KEY=your_key` `export OPENAI_BASE_URL=https://open.bigmodel.cn/api/paas/v4` |
Confidence: 88% confidence
Finding: https://api.deepseek.com/

External Transmission

Medium

Category: Data Exfiltration
Content: | Anthropic Claude | `export ANTHROPIC_API_KEY=your_key` | | DeepSeek | `export OPENAI_API_KEY=your_key` `export OPENAI_BASE_URL=https://api.deepseek.com/v1` | | 通义千问 | `export OPENAI_API_KEY=your_key` `export OPENAI_BASE_URL=https://dashscope.aliyuncs.com/compatible-mode/v1` | | Kimi | `export OPENAI_API_KEY=your_key` `export OPENAI_BASE_URL=https://api.moonshot.cn/v1` | | 智谱 GLM | `export OPENAI_API_KEY=your_key` `export OPENAI_BASE_URL=https://open.bigmodel.cn/api/paas/v4` | | 自定义文本模型 | `export SHIPPING_MODEL=your_model_name` | | 自定义视觉模型 | `export SHIPPING_VISION_MODEL=your_vision_model`（用于图片/PDF） |
Confidence: 88% confidence
Finding: https://api.moonshot.cn/

Unpinned Dependencies

Low

Category: Supply Chain
Content: anthropic openai pdfplumber pymupdf
Confidence: 95% confidence
Finding: anthropic

Unpinned Dependencies

Low

Category: Supply Chain
Content: anthropic openai pdfplumber pymupdf python-docx
Confidence: 95% confidence
Finding: openai

Unpinned Dependencies

Low

Category: Supply Chain
Content: anthropic openai pdfplumber pymupdf python-docx openpyxl
Confidence: 95% confidence
Finding: pdfplumber

Unpinned Dependencies

Low

Category: Supply Chain
Content: anthropic openai pdfplumber pymupdf python-docx openpyxl xlrd
Confidence: 95% confidence
Finding: pymupdf

Unpinned Dependencies

Low

Category: Supply Chain
Content: openai pdfplumber pymupdf python-docx openpyxl xlrd striprtf
Confidence: 98% confidence
Finding: python-docx

Unpinned Dependencies

Low

Category: Supply Chain
Content: pdfplumber pymupdf python-docx openpyxl xlrd striprtf
Confidence: 98% confidence
Finding: openpyxl

Unpinned Dependencies

Low

Category: Supply Chain
Content: pymupdf python-docx openpyxl xlrd striprtf
Confidence: 95% confidence
Finding: xlrd

Unpinned Dependencies

Low

Category: Supply Chain
Content: python-docx openpyxl xlrd striprtf
Confidence: 94% confidence
Finding: striprtf

Known Vulnerable Dependency: anthropic — 2 advisory(ies): CVE-2026-34450 (Claude SDK for Python has Insecure Default File Permissions in Local Filesystem ); CVE-2026-34452 (Claude SDK for Python: Memory Tool Path Validation Race Condition Allows Sandbox)

Low

Category: Supply Chain
Confidence: 72% confidence
Finding: anthropic

Known Vulnerable Dependency: pymupdf — 1 advisory(ies): CVE-2026-3029 (PyMuPDF has a path traversal in _main_.py)

Low

Category: Supply Chain
Confidence: 86% confidence
Finding: pymupdf

Known Vulnerable Dependency: python-docx — 2 advisory(ies): CVE-2016-5851 (Improper Restriction of XML External Entity Reference in python-docx); CVE-2016-5851 (python-docx before 0.8.6 allows context-dependent attackers to conduct XML Exter)

High

Category: Supply Chain
Confidence: 99% confidence
Finding: python-docx

Known Vulnerable Dependency: openpyxl — 2 advisory(ies): CVE-2017-5992 (Improper Restriction of XML External Entity Reference in Openpyxl); CVE-2017-5992 (Openpyxl 2.4.1 resolves external entities by default, which allows remote attack)

High

Category: Supply Chain
Confidence: 99% confidence
Finding: openpyxl

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal