开户许可证识别与抽取（ADP）

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill appears to be a real document-processing integration, but its documentation is overbroad and inconsistent for a sensitive financial-document workflow.

Review before installing. Use this only if you are comfortable sending account-opening permits and extracted banking/business data to the ADP service, and avoid remote URLs or local exports unless you understand where files and results are stored. The publisher should narrow the skill to the permit workflow, remove unrelated app-management documentation, fix the mismatched examples and schema, and replace pipe-to-shell install steps with verifiable installation instructions.

Publisher note

本技能为来也科技企业级应用，仅通过安全方式调用内部指定 CLI 命令执行文档抽取任务，无网络外发、无文件越权访问、无额外风险行为。

SkillSpector (13)

By NVIDIA

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The README for a narrowly named skill instead documents a broad, general-purpose ADP CLI with parsing, extraction, app management, and automation capabilities far beyond Chinese account-opening permit recognition. This scope mismatch increases the attack surface and creates a confused-deputy risk where an agent or user may invoke unintended high-capability functions under the guise of a limited skill.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The documentation advertises custom application creation, editing, and management, which is unrelated to a fixed-purpose permit extraction skill. Exposing or normalizing these administrative capabilities can let an agent pivot from a narrow extraction workflow into broader model/app reconfiguration actions that were not expected by the skill consumer.

Context-Inappropriate Capability

Low

Confidence: 81% confidence
Finding: Remote URL processing extends the skill from local permit recognition into arbitrary network-retrieved document handling, which broadens data ingress and can lead to unintended processing of external content. In a skill advertised as a specific document recognizer, this capability is unnecessary and can enable misuse or accidental processing of sensitive remote resources.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The README describes a broad, general-purpose ADP CLI with parsing, extraction, async workflows, custom apps, and account management, which materially exceeds the manifest's stated scope of Chinese account-opening permit recognition and extraction. This scope mismatch is dangerous because an agent or user may grant broader capabilities, process unintended document types, or invoke functions outside the expected least-privilege behavior for this skill.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The documentation advertises custom application creation, editing, and management capabilities unrelated to simple permit recognition/extraction. In an agent skill context, exposing lifecycle management for arbitrary extraction apps broadens operational scope and can enable unintended reconfiguration or use of the service for other document-processing tasks.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The skill repeatedly claims to process 开户许可证, but nearby workflow/result text references unrelated document types and fields. This inconsistency can cause an agent or operator to invoke the wrong extraction app or mishandle outputs, leading to incorrect processing of sensitive financial documents and downstream compliance/privacy issues.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The markdown first states support for 6 key fields, then later expands the schema with additional unsupported fields such as company name/address/establishment date. This can mislead agents into trusting nonexistent or mismapped fields, causing bad business decisions or improper storage/display of extra sensitive data.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The quick-reference and billing sections switch to 营业执照 extraction, directly conflicting with the declared 开户许可证 purpose. In a skill that drives command execution, this raises the chance of selecting the wrong app/workflow and uploading the wrong regulated documents to an external service.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The safety notes discuss 驾驶证 PII and driving-license app IDs instead of bank account opening permits. That mismatch undermines privacy controls by directing users to redact the wrong data categories and can cause incorrect reuse of app identifiers in a highly sensitive financial-document workflow.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README encourages remote URL ingestion and local export of parsed/extracted results without discussing privacy, retention, or sensitive-document handling. Because account-opening permits and related financial documents may contain regulated or confidential data, omission of these warnings can lead to unsafe transfers, oversharing, or insecure storage of extracted information.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README promotes remote URL processing and exporting extracted results to local files without clearly warning that documents may be transmitted to a public cloud service and that sensitive extracted fields may be written to disk. For financial/account-opening permits, this can expose regulated or confidential business information through unexpected network transfer, persistent storage, logs, or shared result directories.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill processes highly sensitive banking and identity information through a remote ADP service, but it does not clearly and prominently warn that document contents are uploaded off-system for third-party/cloud processing. Users may unknowingly transmit regulated financial/PII data, creating privacy, consent, residency, and compliance exposure.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The installation instructions recommend piping internet-fetched shell/PowerShell scripts directly into an interpreter without a strong warning or integrity-verification step. If the remote source, network path, or repository is compromised, this can lead to immediate arbitrary code execution on the user’s machine.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal