Back to skill

Security audit

GLM-OCR

Security checks across malware telemetry and agentic risk

Overview

This OCR skill is purpose-aligned, but files and URLs submitted for text extraction are sent to GLM/Zhipu and the API key may be stored locally.

Install this only if you are comfortable sending selected images, PDFs, or document URLs to the GLM/Zhipu OCR service. Protect the ZHIPU_API_KEY, keep the generated .env file out of shared folders and version control, and avoid using this skill for highly confidential or regulated documents unless your policy permits that provider.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares no explicit permissions while its documented behavior clearly requires environment access, local file reads, file writes, and outbound network access. This mismatch can bypass user or platform expectations about what the skill is allowed to do, reducing transparency and making risky data flows harder to review or constrain.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The invocation guidance is broad enough that the skill may be triggered for general image-processing or document-handling requests, not just cases where a user clearly intends third-party OCR. In this context, over-broad routing is risky because the skill sends content to an external API, so accidental invocation could expose sensitive images or PDFs.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The usage instructions describe processing local files and remote URLs but do not clearly warn users that the content will be transmitted to an external GLM-OCR API. Because OCR targets often contain sensitive personal, business, or credential-bearing documents, omission of this disclosure can lead to unintended third-party data exposure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script accepts a sensitive API key via the --api-key command-line option and then persists it to a local .env file. Supplying secrets on the command line can expose them through shell history, process listings, CI logs, or audit tooling, so this is a real secret-handling weakness even though the script's purpose is legitimate configuration setup.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This CLI uploads the provided image/PDF content to a third-party OCR service, including local files after base64 encoding, but does not present an explicit warning at execution time that document contents leave the local environment. In an OCR skill, remote processing is expected, yet the lack of a clear user-facing disclosure can cause accidental transmission of sensitive documents, credentials, IDs, or regulated data.

Credential Access

High
Category
Privilege Escalation
Content
if not _validate_config(env_vars):
            sys.exit(1)

        # Write to .env
        _write_env_file(env_vars, skill_root)

        print()
Confidence
84% confidence
Finding
.env

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.