Back to skill

Security audit

百度文档解析unlimited-ocr-parser

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Baidu cloud OCR client, but users should understand that documents and result links are sent to and handled by Baidu services.

Install only if you are comfortable sending the documents or document URLs you process to Baidu's OCR service. Avoid confidential, regulated, or customer documents unless your organization permits that processing, protect Baidu API keys if stored locally, and prefer explicitly invoking this skill only for files you intend to upload.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Tainted flow: 'markdown_url' from requests.post (line 131, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
if download_result:
                        markdown_url = result.get("result", {}).get("markdown_url")
                        if markdown_url:
                            md_resp = requests.get(markdown_url, timeout=60)
                            md_resp.encoding = "utf-8"
                            result["markdown"] = md_resp.text
                        parse_result_url = result.get("result", {}).get("parse_result_url")
Confidence
96% confidence
Finding
md_resp = requests.get(markdown_url, timeout=60)

Tainted flow: 'parse_result_url' from requests.post (line 136, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
parse_result_url = result.get("result", {}).get("parse_result_url")
                        if parse_result_url:
                            try:
                                pr_resp = requests.get(parse_result_url, timeout=60)
                                pr_resp.encoding = "utf-8"
                                result["parse_result"] = pr_resp.json()
                            except Exception:
Confidence
96% confidence
Finding
pr_resp = requests.get(parse_result_url, timeout=60)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill clearly requires environment variables for API credentials and makes outbound network requests, yet it declares no permissions or capability disclosures. This creates a transparency and governance gap: users or hosting platforms may not realize the skill can access secrets and transmit document data to an external cloud service.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger phrases are broad generic terms like '文档解析', 'Markdown 解析', and '结构化文档', which can cause the skill to activate in situations where the user did not specifically intend to invoke a cloud OCR workflow. Because this skill can send documents or file URLs to a third-party service, overbroad activation increases the risk of unintended data disclosure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description does not prominently warn that document contents and file URLs are transmitted to Baidu's cloud OCR service and that result links may remain available for 30 days. In a document-processing context, this omission is dangerous because users may submit sensitive files without informed consent about external transmission, retention, and exposure of generated result URLs.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The guide explicitly recommends placing long-lived API credentials in a local JSON settings file in plaintext, but does not warn about the security tradeoff or suggest safer secret-management options. If that file is readable by other local users, included in backups, synced to cloud storage, or accidentally committed/shared, the Baidu OCR account could be abused for unauthorized API usage.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation instructs users to upload full documents to Baidu's remote OCR service and notes that result links remain valid for 30 days, but it does not warn about third-party data transmission, retention, or sensitivity of uploaded content. This creates a meaningful privacy and data-governance risk because users may submit confidential documents without informed consent or compensating controls.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This skill uploads user-supplied documents or document URLs to Baidu OCR endpoints, but the code provides no explicit user-facing disclosure, consent step, or warning that potentially sensitive content will leave the local environment. In a document-processing skill, this is especially relevant because inputs commonly contain confidential business, personal, or regulated data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
SKILL.md:115