ClawHub

中国地区30+常用发票抽取与发票查验(ADP)

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended for invoice and receipt extraction, but it handles sensitive financial documents through cloud services and includes risky install and overly broad CLI guidance that users should review carefully.

Install only if your organization permits sending the selected invoices, receipts, and extracted tax fields to Laiye ADP cloud services and, for supported invoice types, to the tax verification platform. Prefer npm or a verified release download over pipe-to-shell install commands, use a least-privilege ADP API key, and avoid broad folder processing unless the whole folder is approved for external processing.

Publisher note

This skill is an enterprise-grade application developed by Laiye Technology. It only executes document extraction tasks by invoking designated internal CLI commands via secure means, with no external network data transmission, unauthorized file access, or other risky operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The README presents this skill as a general-purpose ADP CLI with broad document parsing, app management, and autonomous agent usage, which materially exceeds the manifest’s narrowly described receipt-recognition purpose. This scope mismatch can mislead users and downstream agents into invoking capabilities they did not intend to grant, increasing the risk of over-broad document handling and unexpected side effects.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
Documenting custom extraction application creation and management introduces capabilities far beyond a fixed, out-of-box receipt recognition skill. In an agent context, this can enable users or orchestrators to treat the skill as a general document-processing and configuration surface, which expands the attack surface and can lead to unintended data processing or policy bypass.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The README exposes destructive operations such as deleting custom apps and versions, which are unrelated to the advertised receipt-recognition task. In an AI-agent setting, including destructive commands in the same skill documentation increases the chance of accidental or unauthorized deletion if an agent follows the broader CLI surface instead of the intended narrow workflow.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The manifest describes receipt recognition and extraction, but the skill also performs invoice verification by triggering verification requests to an external tax-authority platform. This expands the behavior beyond extraction into external data sharing and government-facing verification, which materially changes privacy and operational impact.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The manifest describes receipt recognition and extraction, but the skill also performs invoice verification by triggering verification requests to an external tax-authority platform. This expands the behavior beyond extraction into external data sharing and government-facing verification, which materially changes privacy and operational impact.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The skill includes promotional guidance for broader ADP platform capabilities unrelated to domestic receipt extraction, such as ID extraction, order extraction, and generic document parsing. This broadens the apparent scope and may encourage use of more invasive document-processing features than the user intended, increasing confusion about what the skill is actually for.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill instructs users to install the CLI via remote shell and PowerShell bootstrap commands fetched over the network and immediately executed. Piping downloaded code directly into a shell is dangerous because it bypasses normal review and integrity checks; if the source, transport, or upstream repository is compromised, arbitrary code execution occurs on the user's machine.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The installation instructions recommend fetching and directly executing remote shell and PowerShell scripts via a pipe, without integrity verification, pinning, or risk warnings. This is dangerous because any compromise of the remote source, repository, network path, or referenced branch can lead to arbitrary code execution on the user's machine during installation. In an agent-skill context, command examples may be copied verbatim by users or automation, making the pattern more dangerous than in a purely informational document.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README encourages uploading local documents and remote URLs for cloud processing but provides no warning about transmitting potentially sensitive financial documents to an external service. For a receipt/invoice recognition skill, the data commonly includes PII, tax IDs, travel details, and payment records, so omission of privacy and data-handling guidance can lead to inadvertent data exposure or compliance violations. The skill context makes this more sensitive because financial receipts are frequently confidential business records.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The installation instructions include fetching and executing remote scripts directly via shell and PowerShell without integrity verification, pinning, or safety warnings. This is dangerous because compromise of the remote source, repository, or network path could result in immediate arbitrary code execution on the user’s system.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README encourages uploading local documents and remote URLs to a public cloud ADP service but does not clearly warn users that sensitive financial documents may leave the local environment. Given this skill’s focus on invoices, receipts, and accounting artifacts, omitted privacy and data-transmission disclosures are especially risky because these documents commonly contain PII, tax IDs, account details, and commercial data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill describes sending receipt and invoice files to the ADP cloud service for extraction, but does not prominently warn users that sensitive financial documents and extracted fields will leave the local environment. For receipts and invoices, this can expose personal, corporate, tax, and banking-related information to a third party without sufficiently explicit consent or data-handling disclosure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states that invoice verification automatically sends data to the national tax verification platform during extraction, but does not present this as a distinct external transfer requiring user awareness. Because invoice details are sensitive and this adds another external recipient beyond the ADP provider, the lack of explicit warning and consent increases privacy and compliance risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal