GLM-OCR-Formula

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed GLM-OCR formula extraction wrapper that sends user-selected files or URLs to ZhiPu's API and does not show hidden or destructive behavior.

Install only if you are comfortable using a ZhiPu API key and sending the selected images or PDFs to ZhiPu's remote OCR service. Treat saved output, especially --include-raw files, as potentially sensitive because it may contain extracted document text and metadata.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill declares no permissions while its documented behavior clearly requires access to environment variables, local files, file output, and network access. This under-declaration is dangerous because it hides the actual trust boundary from users and reviewers, increasing the chance that sensitive files or API secrets are exposed without informed consent.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The skill is presented as formula-only OCR, but the documentation shows it can perform broader document OCR, layout parsing, arbitrary local file processing, and remote URL fetching. This mismatch is dangerous because operators may authorize it for a narrow use case while it actually has a much broader data-extraction surface, including non-formula content from sensitive documents.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The tool sends user-supplied local files or remote URLs to a third-party OCR API, but the CLI flow does not present a clear user-facing warning that content leaves the local host. In a skill handling potentially sensitive PDFs, images, or formulas, this can cause unintended disclosure of confidential data to an external service.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The --include-raw option combined with --output can persist full upstream API responses to disk without a strong warning that OCR results may contain sensitive extracted content or metadata. This increases the chance of confidential data being stored in plaintext files, retained longer than intended, or exposed via insecure filesystem permissions or backups.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal