ClawHub

Yqzl Ai Service

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a real OCR integration, but it sends sensitive documents and credentials over plaintext HTTP and includes an unauthenticated self-updater that can replace the installed skill.

Install only if you trust this publisher, are comfortable sending financial documents to the listed remote service, and accept the plaintext HTTP and self-update risks. Avoid using highly sensitive bank statements or invoices unless the service provides HTTPS, clear data handling terms, and signed updates; configure the API key carefully because the documented command can expose it in shell history.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (13)

Tainted flow: 'url' from os.environ.get (line 73, credential/environment) → requests.get (network output)

Critical
Category
Data Flow
Content
"""从远程获取最新版本信息"""
    url = update_url or DEFAULT_UPDATE_URL
    try:
        resp = requests.get(url, timeout=15)
        resp.raise_for_status()
        return resp.json()
    except requests.exceptions.Timeout:
Confidence
95% confidence
Finding
resp = requests.get(url, timeout=15)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The trigger conditions instruct the agent to run updater commands in response to upgrade-related phrases, even though updating the local skill is not part of the core OCR function. This enables the skill to initiate local maintenance actions and remote retrieval flows that exceed the least-privilege expectations for a document parsing service.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The agent workflow explicitly tells the agent to check for and perform updates, which broadens behavior from service invocation into software lifecycle management. In context, that makes accidental or socially engineered invocation more dangerous because ordinary user conversation can lead to local update actions and remote package retrieval.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script is presented as an API key configuration utility, but it also contains an upgrade path that imports and executes updater logic, optionally from a user-supplied URL. Bundling self-update behavior into a credential-management tool increases supply-chain and social-engineering risk because users may run it expecting only local key handling while it performs network and system-modifying actions.

Intent-Code Divergence

Medium
Confidence
82% confidence
Finding
The module docstring and CLI description describe only API key configuration, while the code also supports upgrading the skill. This mismatch can mislead users and reviewers about the script's true capabilities, reducing informed consent and making hidden network/update behavior harder to detect in a security-sensitive context.

Description-Behavior Mismatch

High
Confidence
87% confidence
Finding
This skill is described as an OCR/document parsing service, but the file implements a self-updater that can modify the installed skill contents. That hidden capability expands the trust boundary well beyond the stated purpose and creates a supply-chain style execution path where future behavior can be changed after installation.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code downloads a remote ZIP archive and installs it over the existing skill directory, effectively granting remote code replacement capability. In the context of an OCR service, this is unjustified high-risk functionality and becomes especially dangerous because the archive contents are not authenticated before extraction and deployment.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The auto-trigger keywords are broad and include generic phrases such as ping, service status, update, or trial-related language, which can cause unintended invocation. In this skill, unintended invocation is more risky because it may lead to external file transmission or updater command paths, not just harmless local formatting.

Missing User Warnings

High
Confidence
98% confidence
Finding
The usage instructions encourage passing local file paths or file URLs to OCR APIs but do not clearly warn that documents will be sent to an external service. Because the documents are financial records, invoices, and bank statements, the missing disclosure materially increases privacy, confidentiality, and compliance risk.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The client transmits local documents, URLs, callback endpoints, and an API key to a remote third-party service with no explicit user-facing privacy or security warning at execution time. In this skill context, the documents are likely financial receipts, bank statements, and invoices, so the data is highly sensitive and the hardcoded use of plain HTTP increases the risk of interception or unintended disclosure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Accepting the API key as a positional command-line argument can expose the secret through shell history, process listings, terminal logging, and audit tooling. Because this script manages credentials, the skill context makes this more dangerous: it directly encourages unsafe handling of a high-value secret.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The upgrade command executes updater code without clearly warning the user that it may perform network access and modify the installed skill. In a tool framed around API key management, this hidden behavior increases the chance of unintended execution of risky update logic and can amplify supply-chain compromise impact.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The updater replaces and deletes files in the skill directory automatically once invoked, without any interactive confirmation or safety gate. While this is not the root cause of compromise, it reduces friction for accidental or malicious misuse and increases the blast radius of a bad or tampered update.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal