ClawHub

PaddleOCR-VL

Security checks across malware telemetry and agentic risk

Overview

This OCR skill is purpose-aligned, but it gives a Docker container broad local and network access while the documentation understates that risk.

Review before installing. Only use this with trusted images and trusted file paths, and avoid running it on files with unusual or attacker-controlled filenames. Prefer a revised version that disables host networking, avoids root, mounts only the target file read-only, and safely passes the path into the container.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
]

    try:
        proc = subprocess.run(cmd, capture_output=True, text=True, timeout=timeout)
        output = proc.stdout + proc.stderr
    except subprocess.TimeoutExpired:
        return {"status": "error", "message": f"timeout after {timeout}s"}
Confidence
96% confidence
Finding
proc = subprocess.run(cmd, capture_output=True, text=True, timeout=timeout)

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The OCR skill runs containers with both `--network host` and `--user root`, capabilities that are unnecessary for ordinary document parsing. If the image is compromised, the OCR pipeline is malicious, or the injected inline script is abused, the container gains broad access to host networking and elevated in-container privileges while also reading host-mounted files, substantially increasing blast radius.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The security section is materially misleading: `--network host` does not mean 'no network access' and instead gives the container direct access to the host network namespace. If the OCR container image is compromised or behaves unexpectedly, it could reach internal services, localhost-only endpoints, or other network resources the user would assume were isolated.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The tool silently launches a Docker container with host networking, root user, and a bind mount of the user's file directory, but does not clearly warn the user that OCR involves elevated local system access. In a skill context, this omission is security-relevant because users may assume they are just running local OCR, not granting a container broad access to host resources.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal