Security audit

汉字书法字体识别

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a calligraphy image recognizer, but it under-discloses that images are sent first to a separate third-party mirror service and may return character recognition rather than font classification.

Review before installing. Use only with images and image URLs you are comfortable sending to third-party services, including xjf123.dy.takin.cc and Hugging Face. Avoid private manuscripts, proprietary scans, or sensitive documents, and avoid exposing a broad Hugging Face token unless authenticated Hugging Face access is intentional.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 78% confidence
Finding: The skill documents outbound network use and use of an API token, but the metadata does not declare corresponding permissions. That creates a transparency and governance gap: the runtime may still access network resources or environment secrets without users and reviewers being clearly informed. In a skill that processes user-supplied images and URLs, undeclared capabilities increase risk because they can enable silent third-party data transfer or secret-backed requests.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: This is a material description-behavior mismatch. The skill claims to identify calligraphy font style, but the finding indicates it can fetch arbitrary remote image URLs, send data to an undeclared third-party mirror, and parse outputs for recognized characters rather than font class. That is dangerous because users may unknowingly expose private images/URLs to an unexpected service, and the skill may perform a different task than advertised, undermining trust and consent.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill sends uploaded images or fetched image content to external HuggingFace services, but the documentation does not clearly warn users that their data leaves the local platform or explain the privacy implications. This is risky because calligraphy images may include sensitive, copyrighted, or institution-owned material, and URL fetching can also disclose user-requested resources to third parties. The context increases concern because the skill is designed specifically around image transfer to external inference endpoints.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script transmits user-supplied image content to third-party endpoints without an explicit user-facing disclosure or consent prompt. In this skill context, uploaded images may contain sensitive calligraphy, manuscripts, or cultural artifacts, so silent transmission creates privacy and data-governance risk even if the code is not overtly malicious.

Missing User Warnings

Low

Confidence: 77% confidence
Finding: The code automatically reads HF_TOKEN from the environment and may send it in an Authorization header to an external service without clearly informing the user. Although this is common developer practice, undisclosed credential use increases the risk of accidental token exposure or unintended authenticated requests to a third-party endpoint.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.