ClawHub

Tiexue Vision

Security checks across malware telemetry and agentic risk

Overview

This image-recognition skill is mostly aligned with its purpose, but it can automatically edit shared Feishu chats or documents and send extracted text to Google Translate without clear per-use consent.

Review before installing in any workspace with sensitive images or shared Feishu documents. Use it only if automatic OCR writeback is acceptable, Google Translate egress is allowed by your data policy, and Feishu edit permissions are tightly scoped; prefer disabling or making translation and writeback explicit before production use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill sends OCR-extracted text from user-provided images to an external Google Translate endpoint whenever the text is ASCII-only. OCR output can contain sensitive data such as IDs, emails, internal documents, or credentials, so transmitting it off-box without explicit consent or minimization creates a real data-exfiltration and privacy risk.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill advertises automatic invocation for any image sent in chat or documents, without describing clear triggering boundaries, confirmation, or scope limits. In collaboration tools, broad auto-activation can cause unintended processing of sensitive images and unexpected write-back into shared content, creating privacy and integrity risks.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The description states that recognition results are written back into the original chat/document or emitted as a same-named .txt file, but it does not present this as a prominent user warning or consent boundary. Users may unknowingly cause modification of shared documents, message threads, or local directories, which can leak extracted text or overwrite expected workflows.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill claims local operation except for translation, and it accepts image paths or URLs, but it does not clearly warn that image URLs and extracted text may be transmitted to external services during retrieval or translation. This creates a data disclosure risk, especially if users process confidential images or documents under the assumption the workflow is entirely local.

Natural-Language Policy Violations

High
Confidence
95% confidence
Finding
The skill automatically translates detected English text into Chinese and writes the result back without user opt-in. This is risky because OCR output may contain sensitive or regulated content, and automatic translation can send that content to external APIs and alter the original meaning or record in chats and documents without approval.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code transmits OCR text to an external translation service without any user-facing notice, consent, or disclosure. Because image text may include confidential or regulated content, silent network transfer increases privacy, compliance, and data-handling risk beyond what a user would reasonably expect from local image recognition.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"postinstall": "node -e \"console.log('依赖已安装,准备使用')\""
  },
  "dependencies": {
    "@tensorflow/tfjs-node": "^4.12.0",
    "onnxruntime-node": "^1.15.0",
    "tesseract.js": "^5.0.5",
    "axios": "^1.7.2",
Confidence
84% confidence
Finding
"@tensorflow/tfjs-node": "^4.12.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
},
  "dependencies": {
    "@tensorflow/tfjs-node": "^4.12.0",
    "onnxruntime-node": "^1.15.0",
    "tesseract.js": "^5.0.5",
    "axios": "^1.7.2",
    "node-fetch": "^3.3.2"
Confidence
84% confidence
Finding
"onnxruntime-node": "^1.15.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"dependencies": {
    "@tensorflow/tfjs-node": "^4.12.0",
    "onnxruntime-node": "^1.15.0",
    "tesseract.js": "^5.0.5",
    "axios": "^1.7.2",
    "node-fetch": "^3.3.2"
  }
Confidence
83% confidence
Finding
"tesseract.js": "^5.0.5"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"@tensorflow/tfjs-node": "^4.12.0",
    "onnxruntime-node": "^1.15.0",
    "tesseract.js": "^5.0.5",
    "axios": "^1.7.2",
    "node-fetch": "^3.3.2"
  }
}
Confidence
97% confidence
Finding
"axios": "^1.7.2"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"onnxruntime-node": "^1.15.0",
    "tesseract.js": "^5.0.5",
    "axios": "^1.7.2",
    "node-fetch": "^3.3.2"
  }
}
Confidence
80% confidence
Finding
"node-fetch": "^3.3.2"

Known Vulnerable Dependency: axios==1.7.2 — 10 advisory(ies): CVE-2025-62718 (Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF); CVE-2026-42044 (Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `pars); CVE-2026-25639 (Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig) +7 more

High
Category
Supply Chain
Confidence
99% confidence
Finding
axios==1.7.2

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal