ClawHub

Sm Ocr Scanner

Security checks across malware telemetry and agentic risk

Overview

This OCR skill is mostly a local Tesseract wrapper, but it also includes a runnable helper that can upload user images to OCR.space without clear top-level disclosure.

Review before installing if you process private or regulated documents. Use scripts/ocr.sh only if you want local Tesseract OCR, avoid scripts/example.py unless you intentionally accept sending images or URLs to OCR.space, and treat PDF inputs as creating temporary page images on disk during processing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
This documentation claims the skill performs OCR locally with `tesseract`, but the analyzer indicates the implementation also sends image data to an external OCR service, accepts remote URLs, and processes PDFs. That mismatch is dangerous because users may provide sensitive local documents believing processing stays on-host, when in reality data may be disclosed to third parties and the attack surface expands beyond the declared purpose.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The reference documentation directs users toward a third-party OCR API even though the skill metadata says OCR is performed locally with the system tesseract binary. This mismatch can cause operators or downstream code to send image data externally, creating unexpected data exfiltration, privacy, compliance, and trust risks.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The usage section explicitly says the skill's example script demonstrates calling OCR.space, which directly contradicts the stated local-processing design. In a security-sensitive context, contradictory docs are dangerous because they normalize or encourage network transmission of potentially sensitive images that users expect to remain on-host.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill metadata and code behavior materially differ: instead of using a local `tesseract` binary, the script sends image data or image URLs to a third-party OCR API. This creates an undisclosed data exfiltration path for potentially sensitive local files and violates user expectations about local-only processing.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code performs OCR by transmitting either local file contents or a supplied URL to a third-party service, despite the stated purpose being local OCR. In the context of an OCR skill expected to process user files locally, this substantially increases privacy and confidentiality risk because sensitive images may leave the host environment.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The docstring presents the script as a helper for the local OCR skill while concealing that it uses the ocr.space demo API. Misleading documentation is dangerous here because it can cause operators to approve or run the skill under a false assumption that no external transmission occurs.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
At the moment the request is sent, the script provides no user-facing warning that local image contents or referenced remote image URLs are being transmitted to an external OCR provider. This is especially risky in an OCR skill because users may process receipts, IDs, contracts, or other sensitive documents and reasonably expect local handling.

Missing User Warnings

Low
Confidence
75% confidence
Finding
The script writes full-page PNG renderings of input PDFs to disk in a temporary directory, which may expose sensitive document contents to other local processes, backups, or forensic recovery depending on system configuration. Although `mktemp -d` is used and cleanup is attempted, the files persist on disk for the duration of processing and may remain if execution is interrupted before `rm -rf` runs.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal