ClawHub

Image To Code

Security checks across malware telemetry and agentic risk

Overview

This image conversion skill is useful, but it uploads images to Baidu OCR by default using embedded credentials without enough user control or privacy disclosure.

Review carefully before installing. Do not use this skill on confidential, customer, regulated, or proprietary images unless you first disable Baidu OCR, remove the embedded credentials, use your own approved provider credentials if needed, and pin reviewed dependency versions. This does not appear intentionally malicious, but its default cloud upload and credential handling need user attention.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (19)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The README documents that the skill defaults to Baidu OCR, which sends image content to an external cloud service. That materially expands the skill's behavior from local image-to-code conversion into networked data transfer, creating privacy and data-governance risk for potentially sensitive images.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The README states that Baidu OCR API credentials are built in, implying embedded shared secrets in the skill. Hardcoded third-party credentials are dangerous because they can be abused by anyone with access to the package, leading to unauthorized API use, quota exhaustion, billing exposure, and loss of control over submitted document data.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill transmits full image contents to Baidu OCR, which creates a real data exfiltration path to a third party. That is especially risky because the skill is presented as an image-to-code converter and does not clearly establish that external network processing is required, so users may unknowingly send sensitive documents, formulas, or embedded text off-device.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code hardcodes Baidu API credentials directly in the source, exposing secrets to anyone with access to the file and enabling unauthorized use of the external OCR account. Embedded credentials also normalize hidden third-party integration and make incident response difficult if the key is leaked or abused.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README recommends a '视觉 AI 模式' and `--vision-ai` option but does not disclose that using an API-backed mode may transmit image contents to a third-party service. Because this skill processes screenshots and documents that may contain sensitive text, formulas, or embedded images, users could unknowingly expose confidential data off-host.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README promotes Baidu OCR as the default path but does not clearly warn users that their images will be uploaded to an external service. Because images may contain confidential text, formulas, or business documents, this lack of explicit disclosure undermines informed consent and can cause unintended data exfiltration.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly suggests sending user-provided images to external vision AI providers, but it does not include a clear privacy warning, consent flow, or data-handling disclosure. Because screenshots may contain sensitive text, formulas, business data, or personal information, silent transmission to third parties can cause unintended data exposure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The report recommends Baidu OCR as the default and repeatedly emphasizes accuracy and convenience, but it does not clearly warn that using this mode sends image contents to an external network service. For a skill that processes screenshots and technical documents, that omission can cause users to unknowingly transmit sensitive text, formulas, or embedded personal/company data to a third party, creating a real privacy and data-governance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Sending image data to an external OCR provider without a prominent warning or consent mechanism is a real privacy and security issue. In this skill's context, users may process screenshots, scanned notes, contracts, or technical documents, so silent transmission increases the likelihood of accidental disclosure.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill includes sensitive API credentials with no disclosure, which is dangerous both because the secret itself is exposed and because users are not informed that a third-party service account is being used on their behalf. This undermines trust, complicates attribution, and can lead to account abuse, billing exposure, or service misuse.

Unpinned Dependencies

Low
Category
Supply Chain
Content
paddlepaddle>=2.5.0
paddleocr>=2.7.0
opencv-python>=4.8.0
numpy>=1.24.0
Confidence
90% confidence
Finding
paddlepaddle>=2.5.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
paddlepaddle>=2.5.0
paddleocr>=2.7.0
opencv-python>=4.8.0
numpy>=1.24.0
Pillow>=10.0.0
Confidence
90% confidence
Finding
paddleocr>=2.7.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
paddlepaddle>=2.5.0
paddleocr>=2.7.0
opencv-python>=4.8.0
numpy>=1.24.0
Pillow>=10.0.0
Confidence
90% confidence
Finding
opencv-python>=4.8.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
paddlepaddle>=2.5.0
paddleocr>=2.7.0
opencv-python>=4.8.0
numpy>=1.24.0
Pillow>=10.0.0
Confidence
88% confidence
Finding
numpy>=1.24.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
paddleocr>=2.7.0
opencv-python>=4.8.0
numpy>=1.24.0
Pillow>=10.0.0
Confidence
92% confidence
Finding
Pillow>=10.0.0

Known Vulnerable Dependency: paddlepaddle — 10 advisory(ies): CVE-2023-52313 (PaddlePaddle floating point exception in paddle.argmin and paddle.argmax); CVE-2022-46741 (PaddlePaddle Out-of-bounds Read vulnerability); CVE-2024-0818 (PaddlePaddle Path Traversal vulnerability) +7 more

Critical
Category
Supply Chain
Confidence
96% confidence
Finding
paddlepaddle

Known Vulnerable Dependency: opencv-python — 10 advisory(ies): CVE-2017-12864 (Integer Overflow or Wraparound in OpenCV); CVE-2017-12598 (Out-of-bounds Read in OpenCV ); CVE-2019-14493 (NULL Pointer Dereference in OpenCV.) +7 more

High
Category
Supply Chain
Confidence
95% confidence
Finding
opencv-python

Known Vulnerable Dependency: numpy — 10 advisory(ies): CVE-2014-1859 (Numpy arbitrary file write via symlink attack); CVE-2021-41495 (NumPy NULL Pointer Dereference); CVE-2021-33430 (NumPy Buffer Overflow (Disputed)) +7 more

Critical
Category
Supply Chain
Confidence
84% confidence
Finding
numpy

Known Vulnerable Dependency: Pillow — 10 advisory(ies): CVE-2016-2533 (Pillow buffer overflow in ImagingPcdDecode); CVE-2023-50447 (Arbitrary Code Execution in Pillow); CVE-2021-27922 (Pillow Uncontrolled Resource Consumption) +7 more

Critical
Category
Supply Chain
Confidence
97% confidence
Finding
Pillow

VirusTotal

49/49 vendors flagged this skill as clean.

View on VirusTotal