ClawHub

Ollama OCR

Security checks across malware telemetry and agentic risk

Overview

This skill appears to perform local Ollama-based OCR as described, with the main caution that images are sent to a configured local HTTP Ollama endpoint.

Before installing, confirm that 172.17.0.2:11434 reaches your own local Ollama instance and not an untrusted service. Avoid processing sensitive images unless you control the Ollama host and network path, and prefer pinning trusted model versions instead of relying on changing latest tags.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation instructs use of a hard-coded network endpoint (`http://172.17.0.2:11434`) and references Python code that performs network access, but the skill declares no corresponding permissions. Even though this is intended for local Docker-to-host communication, undeclared network capability weakens security review and could allow unexpected data flow from sensitive images to any service reachable at that address if the environment is misconfigured or the code is modified.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill sends full image contents to the Ollama API over plain HTTP, which provides no transport encryption or peer authentication. If the service is reached over a container bridge, local network, or any non-isolated path, an attacker with network visibility could intercept sensitive image data or tamper with responses; there is also no user-facing disclosure that image contents leave the process boundary.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal