ClawHub

Iflytek Ocr Invoice

Security checks across malware telemetry and agentic risk

Overview

The skill does what it claims, but it sends sensitive invoice images to a third-party OCR API and includes unsafe troubleshooting steps that print full API secrets.

Install only if you are comfortable sending invoice, receipt, bill, and possible medical or travel document images to iFlytek for OCR. Do not run the documented echo commands that print full XFYUN credentials; verify only whether variables are set, mask values in logs, and rotate credentials if they were exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill metadata declares required environment variables and the documentation clearly describes calling an external OCR API, but there is no explicit permission declaration covering network access and secret/env usage. This creates a transparency and governance gap: users or platforms may not realize the skill can transmit files and use credentials, making review and consent weaker.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly states that invoice, receipt, and bill images are processed via the iFlytek OCR API, which means potentially sensitive financial and personal data is transmitted to a third party. Without an explicit privacy warning, users may unknowingly expose regulated or confidential documents, especially in enterprise reimbursement, medical, or tax workflows.

Missing User Warnings

Low
Confidence
79% confidence
Finding
The README instructs users to place API credentials in environment variables but does not warn that these values are secrets that must not be logged, committed, or exposed to untrusted subprocesses. While environment variables are common practice, missing secret-handling guidance increases the chance of accidental credential leakage and unauthorized API use.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This skill processes invoices, receipts, and bills, which commonly contain sensitive personal and financial data, and sends that data to iFlytek's third-party OCR service. The documentation mentions the API endpoint but does not clearly warn users that their uploaded images and extracted data leave the local environment, which undermines informed consent and privacy expectations.

Missing User Warnings

High
Confidence
99% confidence
Finding
The troubleshooting instructions explicitly tell users to echo `XFYUN_APP_ID`, `XFYUN_API_KEY`, and `XFYUN_API_SECRET` to the terminal, revealing full secret values in plaintext. Secrets displayed this way can be captured by screen sharing, terminal logging, shell history workflows, support screenshots, or nearby observers, leading to credential compromise.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script base64-encodes the user-supplied invoice image and sends it to a third-party OCR endpoint, but it does not provide any explicit user-facing disclosure that invoice contents and potentially sensitive personal or financial data will leave the local environment. In the context of invoice and receipt processing, this is a real privacy and data-governance risk because users may assume OCR is local unless clearly warned otherwise.

Ssd 3

High
Confidence
99% confidence
Finding
The guidance instructs users to print full credential environment variables during troubleshooting, which is a direct secret-disclosure anti-pattern. Because these credentials authenticate access to a paid OCR service, exposure could enable unauthorized API usage, billing abuse, and downstream access tied to the same account.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal