ClawHub
Back to skill

Security audit

Playwright Ocr

Security checks across malware telemetry and agentic risk

Overview

The skill appears to perform useful web/OCR extraction, but its Feishu upload path is under-disclosed for content that may come from authenticated or sensitive pages.

Review the Feishu configuration before installing or running this skill. Use it only on pages and screenshots whose extracted text you are comfortable sending to the configured Feishu/Bitable destination, and disable uploads unless you intentionally want that export path.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (6)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(f"\n{'='*60}")
    print(f"🚀 {description}")
    print(f"{'='*60}")
    result = subprocess.run(cmd, shell=True, capture_output=False)
    return result.returncode == 0

def main():
Confidence
94% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=False)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documents shell execution, environment variable use, and file output behavior, but does not declare permissions or capability expectations in a way that clearly informs policy enforcement or users. This creates a transparency and governance gap: a user may invoke a seemingly simple OCR skill without realizing it can access credentials from the environment, write files, and run external commands.

Description-Behavior Mismatch

Low
Confidence
76% confidence
Finding
The skill is presented primarily as web extraction and OCR, but the architecture and workflow also include exporting and uploading extracted data to external systems such as Feishu Bitable. That mismatch can mislead users about data egress risk, especially when scraping authenticated pages or sensitive dashboards, and can result in unintended disclosure of extracted data.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The example configuration enables Feishu uploads and includes concrete destination identifiers even though the skill description only mentions browser automation and OCR. Hidden or undocumented outbound data transfer increases the risk that extracted page content or OCR results are exfiltrated to a third-party service without clear user awareness or consent.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
For a web-extraction/OCR skill, outbound upload to Feishu is not inherently required to fulfill the stated purpose, so this creates unnecessary data egress risk. If users run the skill against sensitive pages, captured text and extracted data could be sent to Feishu unexpectedly, expanding exposure beyond the local workflow.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation encourages extraction from authenticated pages and mentions uploads to external systems without a clear warning about the sensitivity of session-bound content or the consequences of exporting it. In practice, this can lead users to collect private dashboard data and send it to third parties without adequate review, increasing the chance of credential-scoped data leakage.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal