ClawHub

VIN Recognition OCR - VIN识别

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it uploads a user-provided VIN image to JisuAPI for OCR and returns vehicle identifier details.

Install this only if you are comfortable sending VIN photos, and any visible document or vehicle details in them, to JisuAPI. Use a dedicated JisuAPI key where possible, monitor quota or billing, and provide only the intended cropped VIN image rather than broader sensitive paperwork.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger text is broad and fuzzy, which can cause the agent to invoke the skill on loosely related user requests and process vehicle images without sufficiently clear intent. Because the skill sends image contents to a third-party OCR provider, overbroad invocation increases the chance of unintended data disclosure and unnecessary external processing.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill lacks a clear user-facing warning that uploaded vehicle photos or document images are transmitted to a third-party OCR API. VINs and supporting document imagery can be sensitive, so silent sharing creates a privacy and compliance risk, especially if users assume processing is local.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill sends user-supplied image content to a third-party VIN recognition service, but there is no explicit user-facing notice or consent step before transmission. VIN images can contain sensitive vehicle identifiers and possibly metadata, so silent external transfer creates a privacy and data-handling risk even though the network call itself is intentional for the feature.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal