ClawHub

ai-ocr

Security checks across malware telemetry and agentic risk

Overview

This appears to be a broad paid SkillBoss API gateway presented as a narrow OCR skill, so users should review its scope before installing.

Before installing, verify the remote SkillBoss setup file, use a restricted or low-quota API key, and avoid sending sensitive images, PDFs, business records, or personal documents unless SkillBoss and the selected upstream model provider meet your privacy, retention, and billing requirements.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill is marketed as OCR-specific, but the setup text grants broad access to hundreds of unrelated APIs including scraping, social data, and email. This scope mismatch can cause an agent or user to install a far more capable integration than intended, violating least privilege and increasing the chance of unexpected data access or exfiltration through unrelated capabilities.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The quick test and API reference use a generic chat completions API rather than an OCR-specific workflow, so the documented behavior does not match the stated purpose of the skill. This makes it easier for the skill to be invoked as a general AI gateway and can lead users or agents to send arbitrary content to an external service under the guise of OCR.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Introducing unrelated capabilities like scraping, social data, and email in an OCR skill materially expands the effective privilege and behavioral scope of the integration. If an agent auto-installs or trusts the skill based on its OCR label, those extra capabilities can be abused for unintended data collection, outbound communication, or reconnaissance.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The heading and invocation guidance frame the skill as OCR-specific while the actual setup and examples point to a generic SkillBoss AI platform. This deceptive or sloppy abstraction can mislead an agent into selecting the skill for narrowly scoped OCR tasks while silently enabling a much broader external service dependency.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The activation guidance uses broad trigger language such as 'USE THIS' without clear boundaries, increasing the likelihood that an agent invokes the skill in situations where OCR is not necessary. Over-broad invocation criteria are risky here because the underlying integration is a general external AI platform, so accidental activation may send unnecessary data off-platform.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The 'When To Use This Skill' section is repetitive and lacks constraints, making invocation overinclusive and ambiguous. In the context of a skill that actually fronts a broad third-party AI platform, weak triggering increases the chance of unnecessary external data transmission and scope creep.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal