ClawHub

Veryfi Documents AI

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate Veryfi document OCR integration, but uploaded documents leave your environment and may contain sensitive personal or financial data.

Install only if you are comfortable sending the target documents to Veryfi under your account. Use environment variables or a secret store for credentials, avoid committing keys, test with sample documents first, and do not upload passports, tax forms, bank records, checks, medical documents, or other highly sensitive files until you have reviewed Veryfi’s privacy, retention, and compliance terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (15)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README provides copy-paste examples for uploading highly sensitive documents such as bank statements, passports, W-9s, and invoices to a third-party OCR service, but the usage section does not prominently warn users at the point of use that document contents are being transmitted off-platform. While the external transmission is the intended function of the skill, the missing contextual privacy warning increases the risk of accidental disclosure of financial and identity data by users who may not realize the sensitivity implications.

External Transmission

Medium
Category
Data Exfiltration
Content
For Receipts and Invoices:
```bash
curl -X POST "https://api.veryfi.com/api/v8/partner/documents/" \
  -H "Content-Type: multipart/form-data" \
  -H "Client-Id: $VERYFI_CLIENT_ID" \
  -H "Authorization: apikey $VERYFI_USERNAME:$VERYFI_API_KEY" \
Confidence
91% confidence
Finding
curl -X POST "https://api.veryfi.com/api/v8/partner/documents/" \ -H "Content-Type: multipart/form-data" \ -H "Client-Id: $VERYFI_CLIENT_ID" \ -H "Authorization: apikey $VERYFI_USERNAME:$VERYFI_

External Transmission

Medium
Category
Data Exfiltration
Content
For Receipts and Invoices:
```bash
curl -X POST "https://api.veryfi.com/api/v8/partner/documents/" \
  -H "Content-Type: multipart/form-data" \
  -H "Client-Id: $VERYFI_CLIENT_ID" \
  -H "Authorization: apikey $VERYFI_USERNAME:$VERYFI_API_KEY" \
Confidence
91% confidence
Finding
https://api.veryfi.com/

External Transmission

Medium
Category
Data Exfiltration
Content
For Bank Statements:
```bash
curl -X POST "https://api.veryfi.com/api/v8/partner/bank-statements/" \
  -H "Content-Type: multipart/form-data" \
  -H "Client-Id: $VERYFI_CLIENT_ID" \
  -H "Authorization: apikey $VERYFI_USERNAME:$VERYFI_API_KEY" \
Confidence
95% confidence
Finding
https://api.veryfi.com/

External Transmission

Medium
Category
Data Exfiltration
Content
### Extract data from a Receipt or Invoice (file upload)

```bash
curl -X POST "https://api.veryfi.com/api/v8/partner/documents/" \
  -H "Content-Type: multipart/form-data" \
  -H "Client-Id: $VERYFI_CLIENT_ID" \
  -H "Authorization: apikey $VERYFI_USERNAME:$VERYFI_API_KEY" \
Confidence
93% confidence
Finding
https://api.veryfi.com/

External Transmission

Medium
Category
Data Exfiltration
Content
# Encode the file first
BASE64_DATA=$(base64 -i invoice.pdf)

curl -X POST "https://api.veryfi.com/api/v8/partner/documents/" \
  -H "Content-Type: application/json" \
  -H "Client-Id: $VERYFI_CLIENT_ID" \
  -H "Authorization: apikey $VERYFI_USERNAME:$VERYFI_API_KEY" \
Confidence
94% confidence
Finding
https://api.veryfi.com/

External Transmission

Medium
Category
Data Exfiltration
Content
### Extract data from a URL

```bash
curl -X POST "https://api.veryfi.com/api/v8/partner/documents/" \
  -H "Content-Type: application/json" \
  -H "Client-Id: $VERYFI_CLIENT_ID" \
  -H "Authorization: apikey $VERYFI_USERNAME:$VERYFI_API_KEY" \
Confidence
89% confidence
Finding
https://api.veryfi.com/

External Transmission

Medium
Category
Data Exfiltration
Content
### Extract data from a Passport

```bash
curl -X POST "https://api.veryfi.com/api/v8/partner/any-documents/" \
  -H "Content-Type: multipart/form-data" \
  -H "Client-Id: $VERYFI_CLIENT_ID" \
  -H "Authorization: apikey $VERYFI_USERNAME:$VERYFI_API_KEY" \
Confidence
96% confidence
Finding
https://api.veryfi.com/

External Transmission

Medium
Category
Data Exfiltration
Content
### Extract data from Checks

```bash
curl -X POST "https://api.veryfi.com/api/v8/partner/checks/" \
  -H "Content-Type: multipart/form-data" \
  -H "Client-Id: $VERYFI_CLIENT_ID" \
  -H "Authorization: apikey $VERYFI_USERNAME:$VERYFI_API_KEY" \
Confidence
95% confidence
Finding
https://api.veryfi.com/

External Transmission

Medium
Category
Data Exfiltration
Content
### Extract data from W-9s

```bash
curl -X POST "https://api.veryfi.com/api/v8/partner/w9s/" \
  -H "Content-Type: multipart/form-data" \
  -H "Client-Id: $VERYFI_CLIENT_ID" \
  -H "Authorization: apikey $VERYFI_USERNAME:$VERYFI_API_KEY" \
Confidence
96% confidence
Finding
https://api.veryfi.com/

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# W-2
curl -X POST "https://api.veryfi.com/api/v8/partner/any-documents/" \
  -H "Content-Type: multipart/form-data" \
  -H "Client-Id: $VERYFI_CLIENT_ID" \
  -H "Authorization: apikey $VERYFI_USERNAME:$VERYFI_API_KEY" \
Confidence
96% confidence
Finding
https://api.veryfi.com/

External Transmission

Medium
Category
Data Exfiltration
Content
-F "blueprint_name=w2"

# W-8
curl -X POST "https://api.veryfi.com/api/v8/partner/any-documents/" \
  -H "Content-Type: multipart/form-data" \
  -H "Client-Id: $VERYFI_CLIENT_ID" \
  -H "Authorization: apikey $VERYFI_USERNAME:$VERYFI_API_KEY" \
Confidence
95% confidence
Finding
https://api.veryfi.com/

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# Extract and pull ocr_text with jq
curl -X POST "https://api.veryfi.com/api/v8/partner/documents/" \
  -H "Content-Type: multipart/form-data" \
  -H "Client-Id: $VERYFI_CLIENT_ID" \
  -H "Authorization: apikey $VERYFI_USERNAME:$VERYFI_API_KEY" \
Confidence
92% confidence
Finding
https://api.veryfi.com/

External Transmission

Medium
Category
Data Exfiltration
Content
Identify the document type without full data extraction. Useful for routing documents to the correct processing endpoint, pre-filtering uploads, or bulk sorting.

```bash
curl -X POST "https://api.veryfi.com/api/v8/partner/classify/" \
  -H "Content-Type: multipart/form-data" \
  -H "Client-Id: $VERYFI_CLIENT_ID" \
  -H "Authorization: apikey $VERYFI_USERNAME:$VERYFI_API_KEY" \
Confidence
88% confidence
Finding
https://api.veryfi.com/

External Transmission

Medium
Category
Data Exfiltration
Content
To classify against custom types, pass a `document_types` array:
```bash
curl -X POST "https://api.veryfi.com/api/v8/partner/classify/" \
  -H "Content-Type: multipart/form-data" \
  -H "Client-Id: $VERYFI_CLIENT_ID" \
  -H "Authorization: apikey $VERYFI_USERNAME:$VERYFI_API_KEY" \
Confidence
88% confidence
Finding
https://api.veryfi.com/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal