Security audit

Compliance Checker Light

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real document-compliance checker, but it needs Review because it can send sensitive documents to external AI/OCR services and supports command-based secret resolution with broad local authority.

Install only if you are comfortable with document text and images being sent to the configured LLM, embedding, vision, or OCR providers. Prefer private or local endpoints for sensitive compliance documents, avoid untrusted SecretRef exec providers, and review/pin dependencies before use in regulated or enterprise environments.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (33)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill advertises significant capabilities—filesystem access, network access, environment/secret access, shell execution, and file write behavior—without an explicit permissions declaration. In an agent setting, this weakens policy enforcement and user visibility, making it easier for the skill to access local documents, exfiltrate data to external services, or invoke subprocesses without clear consent boundaries.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 91% confidence
Finding: The documentation frames the skill as a Python API for compliance review, but the behavior includes broader operational features such as CLI entry points, environment/dependency reporting, secret loading via file/exec providers, directory scanning, and external multimodal processing. This mismatch can cause agents or users to authorize the skill under an incomplete trust model, underestimating its ability to inspect the host environment, resolve secrets, and send content externally.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The health-check routine performs a real outbound Vision API connectivity test when a key is present, which creates an unnecessary external network action for a diagnostic command. In a document-review skill, this expands the attack surface by sending requests to a third-party service during health checks, potentially leaking operational metadata and enabling unintended egress in environments that expect diagnostics to remain local.

Context-Inappropriate Capability

High

Confidence: 94% confidence
Finding: This module allows secret resolution via arbitrary external command execution, which materially expands the skill's capabilities beyond document-compliance checking. If provider configuration is attacker-controlled or influenced by an untrusted deployment, the application can execute local programs and expose secrets or perform unintended system actions.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: This client sends document images to a third-party cloud vision model endpoint for analysis. In a compliance-review skill, documents may contain seals, signatures, invoices, IDs, or other regulated/sensitive content, so undisclosed external transmission creates a real data-exposure and compliance risk even if the code is functionally correct.

Context-Inappropriate Capability

Low

Confidence: 78% confidence
Finding: The fallback to generic LLM_API_KEY and LLM_BASE_URL broadens this component from a fixed-purpose visual checker into a client that can talk to arbitrary compatible endpoints when environment variables are present. That increases the chance of misrouting sensitive document images to unintended services and weakens least-privilege boundaries for a document-compliance skill.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The command passes parsed document content into an LLM-backed timeliness evaluator without any disclosure, consent, or visible control in this code path. Because this skill processes potentially sensitive compliance documents (PDFs, Word files, scans, invoices, approvals), sending their contents to an LLM can expose confidential data to external services, logging layers, or downstream processors.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The checker sends document images to an injected external visual client for seal/signature detection, but this code path provides no consent gate, policy check, redaction step, or explicit disclosure at the transmission point. In a compliance-review skill, documents commonly contain sensitive business, personal, or regulated information, so silent transfer to a third-party model/service creates a real confidentiality and privacy risk.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: For PDFs, the code converts pages into images and then analyzes them via the visual client, which may expose full page contents externally rather than only the seal/signature region. Because project compliance documents can include IDs, contracts, invoices, and approval materials, sending page-rendered content off-box without explicit disclosure or safeguards is a genuine data-exposure issue.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The code sends raw document context to an external LLM client for extraction without any visible consent, disclosure, redaction, or data-classification gate. In this skill's context, the documents are compliance, approval, invoice, and stamped/signature-bearing materials, which often contain sensitive business or personal data, so unintended disclosure to a third-party model service is a real confidentiality risk.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: When the Aliyun backend is selected, document/image contents are transmitted to a third-party cloud OCR service, but this file provides no runtime consent gate, policy check, or user-facing warning at the point of transfer. In a compliance-review skill, documents are likely to contain sensitive business, financial, or personal data, so silent off-box transmission creates a real confidentiality and regulatory risk.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The code sends arbitrary input text to an external embedding API, which can expose sensitive document names or extracted content to a third-party service without any visible consent, classification, redaction, or policy gate in this component. In a compliance-checking skill that may process contracts, invoices, permits, signatures, and approval materials, this increases the likelihood of regulated or confidential data leaving the trust boundary.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: These request paths package image bytes as base64 and POST them to an external API, but the code contains no visible consent, disclosure, or policy gate around that transfer. Because this skill processes compliance documents, the uploaded images are likely to contain sensitive business and personal information, making silent third-party transmission materially risky.

Ssd 2

Medium

Confidence: 95% confidence
Finding: The skill states that user-supplied target strings are passed directly into the vision-model prompt. That creates a prompt-injection channel where an attacker can smuggle instructions through seemingly normal labels, potentially altering model behavior, degrading detection integrity, or causing the model to reveal unintended information from the processed document.

Ssd 1

Medium

Confidence: 92% confidence
Finding: User-controlled target text is inserted directly into the multimodal prompt without normalization or constraint, allowing semantic prompt injection against the downstream vision model. An attacker can supply target text that changes task intent, requests policy bypasses, or manipulates model output, which is especially relevant here because the skill is used for compliance judgments on potentially sensitive documents.

Ssd 2

Medium

Confidence: 94% confidence
Finding: The seal prompt embeds raw target text inside executable natural-language instructions, so adversarial phrasing can steer or override the intended detection behavior. In a compliance-review skill, this can produce false attestations such as claiming a seal exists or altering reasoning, undermining trust in document validation outcomes.

Ssd 2

Medium

Confidence: 94% confidence
Finding: The signature prompt repeats the same raw interpolation pattern, so an attacker can phrase the target to influence the model beyond simple signature detection. Because this skill is intended to assess signatures for compliance, manipulated prompts can lead to incorrect accept/reject decisions and weaken the integrity of approval workflows.

External Transmission

Medium

Category: Data Exfiltration
Content: | 配置项 | 必需 | 默认值 | 说明 | |--------|------|--------|------| | `llm_api_key` | 是 | - | LLM API 密钥 | | `llm_base_url` | 否 | `https://api.openai.com/v1` | LLM API 端点 | | `llm_model` | 否 | `gpt-4o` | LLM 模型名称 | | `llm_timeout` | 否 | `60` | 请求超时（秒） | | `llm_max_retries` | 否 | `3` | 最大重试次数 |
Confidence: 95% confidence
Finding: https://api.openai.com/

External Transmission

Medium

Category: Data Exfiltration
Content: ### 可选配置 - `llm_base_url`: LLM API 端点（默认: https://api.openai.com/v1） - `llm_model`: LLM 模型名称（默认: gpt-4o） - `llm_timeout`: 请求超时（默认: 60秒） - `llm_max_retries`: 最大重试次数（默认: 3）
Confidence: 84% confidence
Finding: https://api.openai.com/

Unpinned Dependencies

Low

Category: Supply Chain
Content: # -------------------- MCP 框架 -------------------- mcp>=1.0.0 # -------------------- LLM 客户端 -------------------- # OpenAI 兼容 API 客户端（支持 DashScope、Moonshot、DeepSeek 等）
Confidence: 94% confidence
Finding: mcp>=1.0.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: # -------------------- LLM 客户端 -------------------- # OpenAI 兼容 API 客户端（支持 DashScope、Moonshot、DeepSeek 等） openai>=1.0.0 # -------------------- 文档解析 -------------------- # PDF 解析（PyMuPDF）
Confidence: 88% confidence
Finding: openai>=1.0.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: # -------------------- 文档解析 -------------------- # PDF 解析（PyMuPDF） PyMuPDF>=1.23.0 # Word 文档解析 python-docx>=0.8.11
Confidence: 90% confidence
Finding: PyMuPDF>=1.23.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: PyMuPDF>=1.23.0 # Word 文档解析 python-docx>=0.8.11 # -------------------- 图像处理 -------------------- Pillow>=10.0.0
Confidence: 95% confidence
Finding: python-docx>=0.8.11

Unpinned Dependencies

Low

Category: Supply Chain
Content: python-docx>=0.8.11 # -------------------- 图像处理 -------------------- Pillow>=10.0.0 # -------------------- 异步 HTTP 客户端 -------------------- # 用于视觉模型 API 调用和异步 HTTP 请求
Confidence: 96% confidence
Finding: Pillow>=10.0.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: # -------------------- 异步 HTTP 客户端 -------------------- # 用于视觉模型 API 调用和异步 HTTP 请求 aiohttp>=3.9.0 # -------------------- 配置与数据 -------------------- # YAML 解析
Confidence: 93% confidence
Finding: aiohttp>=3.9.0

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal