Back to skill

Security audit

RapidOCR

Security checks across malware telemetry and agentic risk

Overview

The OCR tool is mostly legitimate, but its runtime instructions include an unrelated ClawHub publishing step that users should review before installing.

Review before installing. Use it only for local images you intentionally provide, expect local Node/Python execution and Python OCR dependencies, and remove or ignore the ClawHub publish step unless you are deliberately publishing the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The wrapper accepts input indirectly from broad environment variables such as SKILL_USER_PROMPT, USER_PROMPT, PROMPT, and similar fields, then parses those free-form strings to locate a filesystem path and options. This expands the trust boundary beyond an explicit file argument, making it easy for unintended prompt content or orchestrator-supplied data to influence which local file gets read and OCR'd, creating a real data exposure and confused-deputy risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code reads multiple environment-provided prompt/argument fields without clear disclosure, meaning user text and orchestration metadata can silently affect file selection and behavior. In a skill that accesses local files, this is dangerous because it can cause OCR to run on a different local image than the user explicitly intended, increasing the chance of unintended local data access.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
run_rapidocr.js:7