ClawHub

Greek Document Ocr

Security checks across malware telemetry and agentic risk

Overview

The core local Greek OCR use is coherent, but optional cloud/accounting integrations for sensitive documents are under-scoped and partly conflict with the local/no-credentials framing.

Install only if you intend to use it as a local OCR/accounting helper and are comfortable with local document storage. Treat Xero, QuickBooks, banking, cloud, hybrid, and email workflows as separate high-impact choices: do not provide API keys or export OCR results unless you explicitly want sensitive invoice, receipt, or government-form data sent to those services.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The manifest and top-level description repeatedly claim that all OCR processing is local and uses no cloud APIs, but later documentation explicitly offers cloud and hybrid model deployment. This is a security-relevant contradiction because users may expose sensitive financial and government documents to remote services under false assumptions about locality and data handling.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The skill is presented as a local Greek OCR processor, but the meta-skill example includes email-processing coordination unrelated to OCR. That kind of capability expansion increases the risk that extracted sensitive document contents could be transmitted externally or used by a broader automation chain than users expect.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The metadata advertises optional QuickBooks/Xero export and an API key, but the documentation emphasizes local processing and 'no credentials required' without a prominent warning that integrations may send OCR results to third-party services. This can mislead users handling invoices, receipts, and government forms into exposing sensitive extracted data and credentials without informed consent.

VirusTotal

49/49 vendors flagged this skill as clean.

View on VirusTotal