Back to skill

Security audit

Super Ocr

Security checks across malware telemetry and agentic risk

Overview

This is a local OCR skill whose risks are mainly disclosed setup and dependency risks, not hidden or malicious behavior.

Install only in an environment where you are comfortable adding large OCR and image-processing dependencies. Prefer a virtual environment, pin and scan dependency versions, avoid running OCR on sensitive or untrusted images outside a sandbox, and be aware that setup commands may download packages and preprocessing may briefly write derived image files locally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (16)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(f"       Command: {install_cmd}")
    
    try:
        result = subprocess.run(
            install_cmd.split(),
            capture_output=True,
            text=True,
Confidence
92% confidence
Finding
result = subprocess.run( install_cmd.split(), capture_output=True, text=True, timeout=120 )

Description-Behavior Mismatch

Low
Confidence
76% confidence
Finding
The documentation presents the skill as a two-engine OCR selector but later advertises a third engine and an all-engines mode. This inconsistency can mislead users and reviewers about the skill's execution surface, causing them to underestimate external dependencies and OS-specific subprocess behavior.

Intent-Code Divergence

Medium
Confidence
83% confidence
Finding
The docs conflict on whether auto mode selects one optimal engine or runs all available engines. In a security context, that ambiguity matters because running all engines expands execution scope, increases attack surface, and may invoke more external components than the user intended.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
A dependency helper that installs packages at runtime gives the skill the ability to change the system state and introduce new executable code from package repositories. For an OCR skill, this is unnecessary during normal operation and increases the attack surface through supply-chain compromise, unexpected privilege context, and operational drift.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Documenting auto-install behavior without prominently warning that it may modify the system is risky because users may run setup commands expecting a read-only dependency check. Automatic package installation can change the environment, pull code from external sources, and introduce supply-chain exposure.

Missing User Warnings

Low
Confidence
75% confidence
Finding
The preprocessing step writes a derived image file next to the original input, which can expose sensitive document contents to other local users, backups, scans, or unexpected persistence if cleanup fails. In an OCR skill handling potentially confidential images, undisclosed temporary disk writes increase data leakage risk even if the file is later deleted.

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Requirements for Super OCR

# PaddleOCR (primary engine for Chinese, 98%+ accuracy)
paddleocr
paddlepaddle

# Tesseract (secondary engine for English, fast)
Confidence
96% confidence
Finding
paddleocr

Unpinned Dependencies

Low
Category
Supply Chain
Content
# PaddleOCR (primary engine for Chinese, 98%+ accuracy)
paddleocr
paddlepaddle

# Tesseract (secondary engine for English, fast)
pytesseract
Confidence
98% confidence
Finding
paddlepaddle

Unpinned Dependencies

Low
Category
Supply Chain
Content
paddlepaddle

# Tesseract (secondary engine for English, fast)
pytesseract
pillow
opencv-python
numpy
Confidence
95% confidence
Finding
pytesseract

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Tesseract (secondary engine for English, fast)
pytesseract
pillow
opencv-python
numpy
Confidence
99% confidence
Finding
pillow

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Tesseract (secondary engine for English, fast)
pytesseract
pillow
opencv-python
numpy

# Optional: macOS Vision OCR
Confidence
99% confidence
Finding
opencv-python

Unpinned Dependencies

Low
Category
Supply Chain
Content
pytesseract
pillow
opencv-python
numpy

# Optional: macOS Vision OCR
# pip install pyobjc  # macOS only
Confidence
94% confidence
Finding
numpy

Known Vulnerable Dependency: paddlepaddle — 10 advisory(ies): CVE-2023-52313 (PaddlePaddle floating point exception in paddle.argmin and paddle.argmax); CVE-2022-46741 (PaddlePaddle Out-of-bounds Read vulnerability); CVE-2024-0818 (PaddlePaddle Path Traversal vulnerability) +7 more

Critical
Category
Supply Chain
Confidence
97% confidence
Finding
paddlepaddle

Known Vulnerable Dependency: pillow — 10 advisory(ies): CVE-2016-2533 (Pillow buffer overflow in ImagingPcdDecode); CVE-2023-50447 (Arbitrary Code Execution in Pillow); CVE-2021-27922 (Pillow Uncontrolled Resource Consumption) +7 more

Critical
Category
Supply Chain
Confidence
98% confidence
Finding
pillow

Known Vulnerable Dependency: opencv-python — 10 advisory(ies): CVE-2017-12864 (Integer Overflow or Wraparound in OpenCV); CVE-2017-12598 (Out-of-bounds Read in OpenCV ); CVE-2019-14493 (NULL Pointer Dereference in OpenCV.) +7 more

High
Category
Supply Chain
Confidence
97% confidence
Finding
opencv-python

Known Vulnerable Dependency: numpy — 10 advisory(ies): CVE-2014-1859 (Numpy arbitrary file write via symlink attack); CVE-2021-41495 (NumPy NULL Pointer Dereference); CVE-2021-33430 (NumPy Buffer Overflow (Disputed)) +7 more

Critical
Category
Supply Chain
Confidence
90% confidence
Finding
numpy

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.