Back to skill

Security audit

Textin Parse

Security checks across malware telemetry and agentic risk

Overview

This is a real Textin document-parsing skill, but it needs review because it asks for API secrets, stores them in plaintext, and sends documents to a third-party service without strong consent or secret-handling safeguards.

Install only if you are comfortable sending chosen documents or URLs to Textin for processing. Use a dedicated low-privilege Textin key, avoid pasting production secrets into chat, restrict or remove ~/.openclaw/textin-config.json after use, and do not run config display commands in shared terminals, logs, or screenshots.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
76% confidence
Finding
The skill advertises behavior that involves storing credentials, parsing user-supplied files, and calling an external API, but it does not declare corresponding permissions. This creates a transparency and governance gap: the runtime may still access files, network, and configuration storage without users or reviewers having an explicit permission contract to audit.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The `config --show` path prints the stored `app_id` and `secret_code` in plaintext to stdout. This can expose credentials through terminal history, screen sharing, logs, or other output-capture mechanisms, and it is unnecessary for the core document parsing purpose.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger scope is broad enough to activate on many generic document-related requests, increasing the chance the skill is invoked when users do not expect third-party processing. In context, this is more dangerous because the skill handles sensitive documents and external transmission, so over-triggering can cause unintended disclosure.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill instructs users to provide `x-ti-app-id` and `x-ti-secret-code` directly to the assistant without warning that these are sensitive secrets. This can lead to credential exposure in chat logs, model context, telemetry, or downstream storage, enabling unauthorized API use and account abuse.

Missing User Warnings

High
Confidence
94% confidence
Finding
The skill describes document parsing features but does not clearly disclose that uploaded files and their contents will be transmitted to a third-party API. Because the skill is intended for PDFs, images, office documents, and other potentially sensitive materials, missing this warning creates a significant privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script stores API credentials in plaintext JSON under the user's home directory and does so without setting restrictive file permissions or warning the user about the security implications. If the host is multi-user, backups are exposed, or other local processes can read the file, the secret_code can be stolen and used to abuse the Textin API account.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill stores API credentials persistently in `~/.openclaw/textin-config.json` without setting restrictive file permissions or warning the user that sensitive secrets are being written to disk. On shared systems or misconfigured environments, other local users or processes may be able to read these credentials.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code uploads local document contents to `api.textin.com` for processing, but the user-facing flow does not clearly disclose that document data will leave the local environment and be sent to a third-party service. This creates a meaningful confidentiality and compliance risk, especially if users parse sensitive PDFs, images, or office documents.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script uploads either a user-supplied URL or the full contents of a local file to a third-party service, and it can also include a PDF password in query parameters. That behavior is core to the skill, but it creates a real data disclosure risk because sensitive documents and secrets may be transmitted off-host without a clear explicit warning or consent step at execution time.

Ssd 3

High
Confidence
98% confidence
Finding
The skill explicitly tells users to hand API credentials to the assistant for storage/configuration, which is an unsafe secret-handling pattern. In this context, the danger is elevated because the assistant becomes a collection point for long-lived secrets that could be exposed through logs, prompt history, misconfiguration, or other skills/tools.

External Transmission

Medium
Category
Data Exfiltration
Content
# 发送请求
if [ "$CONTENT_TYPE" = "text/plain" ]; then
    RESPONSE=$(curl -s -X POST "${API_URL}?${QUERY_PARAMS}" \
        -H "x-ti-app-id: ${APP_ID}" \
        -H "x-ti-secret-code: ${SECRET_CODE}" \
        -H "Content-Type: ${CONTENT_TYPE}" \
Confidence
92% confidence
Finding
curl -s -X POST "${API_URL}?${QUERY_PARAMS}" \ -H "x-ti-app-id: ${APP_ID}" \ -H "x-ti-secret-code: ${SECRET_CODE}" \ -H "Content-Type: ${CONTENT_TYPE}" \ -d

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.