ClawHub

发票识别(invoice-ocr-xy)翔云平台

Security checks across malware telemetry and agentic risk

Overview

This invoice OCR skill is purpose-aligned, but it needs review because it handles sensitive invoices and API secrets with weak disclosure, storage, and dependency-install controls.

Review before installing. Use only with invoices you are comfortable sending to NetOCR, prefer running the local --config command yourself instead of pasting API keys into chat, use a limited or quota-controlled OCR key, protect or remove config.json after use, and preinstall openpyxl through your normal package-management process if you need Excel export.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
except ImportError:
        print("⚠️  导出 Excel 需要 openpyxl 库,正在自动安装...")
        import subprocess
        subprocess.check_call([sys.executable, "-m", "pip", "install", "openpyxl", "-q"])
        import openpyxl
        from openpyxl.styles import Font, Alignment, PatternFill, Border, Side
Confidence
93% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", "openpyxl", "-q"])

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The Excel export path exceeds passive data processing by mutating the local Python environment through automatic package installation. In a security-sensitive agent context, silently expanding capability and executing installer code is risky because it introduces supply-chain and policy-compliance concerns unrelated to invoice recognition itself.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly tells the agent to proactively request netocr_key and netocr_secret from the user, normalizing direct secret disclosure to the agent. That increases the chance of credential leakage through chat logs, agent memory, or downstream tooling, especially because safer setup methods are not prioritized with security guidance.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The setup section recommends providing credentials to the agent and later notes that configuration is stored in config.json, but it does not warn users that secrets may be written to disk in the skill directory. This can expose API keys to other local users, backups, repositories, or accidental file sharing if storage permissions are weak.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script transmits full invoice contents and OCR API credentials to a third-party remote service without a clear runtime warning or consent step. Because invoices commonly contain sensitive financial and personal data, undisclosed external transmission significantly increases privacy, confidentiality, and compliance risk in the skill context.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script stores netocr_key and netocr_secret in a local config.json file without warning users that credentials will persist on disk. Plain local persistence increases the chance of credential disclosure through backups, source-tree sharing, weak filesystem permissions, or accidental commits.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Automatically installing a package with pip during execution performs network access and code installation without explicit prior consent. This is dangerous because it can violate least-privilege expectations, introduce supply-chain risk, and change the host environment in ways users did not approve.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill's core setup instructions tell the agent to ask for OCR credentials in natural language, which encourages insecure secret handling through the conversational channel. In the context of a document-processing skill that also uses network access and local config storage, this raises the chance that sensitive credentials and invoice data are exposed together.

Ssd 3

Medium
Confidence
97% confidence
Finding
This section directly recommends that users hand API credentials to the agent, which is an unsafe secret collection pattern. Because the skill processes invoices containing potentially sensitive financial and personal information, compromised OCR credentials could be abused for unauthorized API usage and broaden privacy impact.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal