ClawHub

smart ocr

Security checks across malware telemetry and agentic risk

Overview

This OCR skill is purpose-aligned and disclosed, but users should understand that images, including recent images pulled from OpenClaw session files, are uploaded to a SmartOCR API.

Install only if you trust the SmartOCR endpoint and are comfortable uploading vehicle documents, receipts, invoices, or recent chat-uploaded images to it. Prefer explicit file paths when possible; use the session helper only when the latest OpenClaw session image is the one you intend to process, and keep SMARTOCR_API_URL pointed at a trusted service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documentation indicates use of environment variables, local file access, and outbound network access, but it does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: operators may grant or execute the skill without understanding that it can read local data and transmit it to a remote OCR service. In this context, the undeclared file/network capabilities matter because the skill can process local images and session-derived content, which may contain sensitive personal or financial data.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The top-level description says the skill supports image URLs and local files, but the documented session mode also reads local OpenClaw session files, extracts recently uploaded images, and sends them to the OCR API. That is a materially broader behavior than the declared purpose and can cause users or reviewers to miss that historical conversation artifacts are being accessed and exfiltrated. Because the content includes vehicle documents and receipts/invoices, the data involved is likely sensitive PII and financial information.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill description says it supports OCR on image URLs and local files, but this script instead harvests images from OpenClaw session history. That hidden data source broadens access to prior user content and can cause sensitive images to be processed or exfiltrated without the user's explicit request for those specific files.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code scans OpenClaw session transcripts, locates prior user-uploaded images, and extracts their base64 contents. Because the skill handles vehicle documents and receipts/invoices, the accessed images are likely to contain sensitive personal and financial data, making undisclosed transcript scraping especially risky.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The session-image feature explains how to pull images from local session JSONL files, but it does not prominently warn that uploaded image data will be read from local conversation history and sent to a third-party OCR API. Users may reasonably assume only explicitly supplied files or URLs are processed, so this omission undermines informed consent. Given the supported document types, the transferred data can include identity, vehicle, and billing details.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The tool sends full image contents, including potentially sensitive vehicle documents, receipts, or invoices, to a remote OCR API, but the CLI provides no explicit runtime warning or consent prompt about that network transfer. In this skill context, the data is likely to contain personal and financial information, so silent transmission increases privacy and compliance risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
After extracting images from session history, the script sends them to an external OCR API with no user-facing disclosure or confirmation. This creates a silent third-party transfer of potentially sensitive documents such as vehicle certificates, receipts, and invoices, which materially raises privacy and compliance risk.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal