ClawHub

Ccy Ocr Local

Security checks across malware telemetry and agentic risk

Overview

This skill is a local OCR and chart-recognition tool; the privacy-sensitive roadmap language is not implemented as automatic collection or upload behavior.

Install only if you are comfortable running local OCR scripts on images you choose. Treat chart screenshots as potentially sensitive, avoid using private screenshots for training datasets unless you have consent, and review any future version that adds actual data collection or model-training workflows.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The roadmap expands the skill from local offline OCR into collecting user-provided chart screenshots for internal datasets, which materially changes the data lifecycle and trust boundaries described by the skill. In a local OCR skill, users reasonably expect transient local processing; reusing their files for dataset creation introduces privacy, consent, and retention risks that are not disclosed here.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The document describes model training, conversion, and deployment workflows that go beyond the advertised runtime behavior of a local offline OCR/chart-recognition skill. This scope expansion is dangerous because it can normalize undisclosed capability growth, including data collection and model supply-chain changes, without corresponding security review or user disclosure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The roadmap explicitly mentions collecting user-provided chart screenshots but provides no privacy warning, consent language, or handling constraints. Screenshots often contain sensitive business data, PII, or confidential documents, so undocumented collection creates a realistic risk of unauthorized retention, secondary use, and compliance violations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal