Back to skill

Security audit

OCR Space: Free OCR API

Security checks across malware telemetry and agentic risk

Overview

This skill performs user-directed OCR by sending a chosen image to OCR.space, with no hidden persistence or unrelated behavior found.

Install only if you are comfortable sending selected images to OCR.space for processing. Avoid using it on IDs, invoices, private screenshots, medical records, or other sensitive images unless that matches your privacy expectations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill promotes OCR on user-supplied images but omits a clear warning that those images are uploaded to a third-party service for processing. Because images often contain sensitive information such as IDs, screenshots, financial data, or private conversations, this omission can mislead users into sending confidential content off-device without informed consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script transmits the full image contents to a third-party OCR service, but it does not clearly and explicitly warn users at runtime that local files are being uploaded off-device. This creates a privacy and data-handling risk because users may unknowingly send sensitive screenshots, IDs, invoices, or other confidential images to an external service.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.