ClawHub

文档识别-表格识别-Pro(翔云开放平台)

Security checks across malware telemetry and agentic risk

Overview

This skill does the advertised cloud OCR/table-recognition work, but users should treat submitted documents and OCR credentials as sensitive.

Install only if you trust netocr.com with the documents you choose to process. Prefer NETOCR_KEY and NETOCR_SECRET environment variables or a protected secret store over plaintext config.json; if you use config.json, keep it out of version control and restrict access. Avoid bulk-processing folders that may contain unrelated sensitive files, and rotate the OCR key if it may have been exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Tainted flow: 'oss_https' from requests.post (line 221, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
oss_https = oss_url.replace("http://", "https://").replace(
            original_host, "oss-cn-beijing.aliyuncs.com"
        )
        resp = requests.get(
            oss_https,
            headers={"Host": original_host},
            timeout=60,
Confidence
90% confidence
Finding
resp = requests.get( oss_https, headers={"Host": original_host}, timeout=60, )

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation correctly states that `/api/download_file` returns a presigned OSS URL, but the sample code then writes the API response body directly to disk instead of parsing the JSON and downloading from the returned URL. This can cause implementers to save incorrect content, mishandle untrusted remote responses, and build broken download logic into the skill.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation tells users to store API credentials in a local config.json file but does not adequately warn that this is plaintext secret storage. If the machine, workspace, backups, logs, or repository are accessible to others, the OCR key and secret can be stolen and abused for unauthorized API usage or account compromise.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill is explicitly designed to send user documents and OCR credentials to a third-party service, but the documentation does not clearly warn users that document contents may include sensitive personal, financial, or contractual data. In an agent context, this omission is risky because users may assume local processing when the skill actually transmits data externally.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation encourages storing long-lived OCR credentials in a local `config.json` file in the skill directory without prominent warnings about file permissions, accidental check-in, or plaintext secret exposure. In agent or shared-workstation environments, this increases the chance of credential leakage and downstream abuse of the OCR account.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
The script uploads entire local files and base64-encoded contents to a third-party OCR service without an explicit, in-tool warning or confirmation about remote transmission. In a skill context that may process invoices, contracts, IDs, reports, and PDFs, this can lead to unintended disclosure of highly sensitive user documents to an external service.

Ssd 3

Medium
Confidence
98% confidence
Finding
The skill explicitly directs the agent to solicit, store, and later reuse API credentials from a local config file. Persisting reusable secrets on disk creates a durable attack surface: other local processes, users, backups, or accidental repository commits can expose the credentials, and the skill normalizes secret handling without strong safeguards.

Ssd 3

High
Confidence
99% confidence
Finding
The setup flow instructs the agent to ask for the user's key and secret, write them to disk, and confirm that they will be reused permanently. This is particularly risky because it encourages collection of sensitive credentials in chat and establishes indefinite retention, increasing the blast radius of any local compromise, transcript exposure, or unintended file disclosure.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal