claw-text-and-pics

Security checks across malware telemetry and agentic risk

Overview

This skill does remote OCR on user-selected documents and can optionally send extracted images to Telegram, and those behaviors are disclosed and user-directed.

Install only if you are comfortable sending chosen documents to Mistral for OCR. Use --send only with a verified Telegram chat ID and documents whose extracted images may be shared externally. Store API keys and bot tokens securely, and avoid using sensitive or regulated documents unless that external sharing is intended.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill metadata advertises capabilities that access environment variables, local files, the network, and shell execution, but it does not declare permissions or provide a clear trust boundary. This makes it harder for users or a hosting platform to understand the true attack surface, especially because the skill processes potentially sensitive documents and relies on API credentials.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The skill claims to perform OCR, but it also supports transmitting extracted images to Telegram using separate credentials and chat identifiers. That is a material behavioral expansion beyond document reading, and in the context of receipts, contracts, and handwritten notes, it creates a real risk of unexpected exfiltration of sensitive content to a third-party messaging service.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill's stated purpose is OCR extraction, but it also includes functionality to transmit extracted document-derived images to Telegram, an unrelated external messaging platform. This creates a real data-exfiltration path for potentially sensitive receipts, contracts, invoices, or handwritten notes, especially because the content comes from scanned documents that often contain personal or confidential information.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The code reads Telegram credentials and chat identifiers from the environment and uses them to send document-derived images externally. In an agent/skill context, environment-based auto-configuration lowers friction for silent or accidental transmission of sensitive extracted content to an external party unrelated to OCR processing.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README explicitly instructs users to send local documents, PDFs, images, and URLs to Mistral's OCR API and optionally forward extracted images to Telegram, but it does not clearly warn that potentially sensitive document contents will leave the local environment and be shared with third-party services. In an agent-skill context, this omission is security-relevant because users may process receipts, invoices, contracts, or handwritten notes that commonly contain personal, financial, or confidential data.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill handles highly sensitive document content, yet the description does not prominently warn that inputs are uploaded to Mistral's OCR API and may also be forwarded to Telegram when image sending is enabled. Without an explicit privacy notice, users may unintentionally submit confidential documents such as invoices, contracts, or IDs to external services.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The code sends the full local document contents, often including sensitive text and images, to the Mistral OCR API, but the skill description and runtime behavior do not provide an explicit privacy warning or consent checkpoint. In document-processing contexts, this can expose confidential business, financial, or personal data to a third-party service unexpectedly.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: When --send is enabled, extracted images are forwarded externally without any strong warning that content derived from sensitive documents will be sent to Telegram. Because extracted images may contain signatures, account details, or embedded confidential figures, the absence of a prominent warning increases the chance of unsafe disclosure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal