Bank Draft Ocr

Security checks across malware telemetry and agentic risk

Overview

This bank-draft OCR skill is purpose-aligned and user-directed, but it sends sensitive document images to Scnet's remote OCR API.

Install only if you are comfortable sending the selected bank draft image or PDF to Scnet for OCR. Avoid using it on documents you are not allowed to transmit to third parties, and do not paste API keys into chat; store the key locally as instructed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation instructs users to upload files containing OCR source material to a third-party remote endpoint, but it does not disclose privacy, retention, consent, or data-handling expectations. In the context of a bank draft OCR skill, uploaded files are likely to contain financial and personally identifiable information, so the lack of an explicit warning and handling guidance creates a meaningful privacy and compliance risk.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The example response includes identity attributes such as name, address, birth date, gender, nationality, and ID number without any warning about sensitive data handling. Even if the values are illustrative, this normalizes processing of high-risk personal data and fails to signal that downstream consumers must protect, mask, and restrict use of OCR results.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal