ClawHub

Degree Certificate Ocr

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward remote OCR wrapper for user-selected degree certificate files, with privacy considerations because those files are sent to Scnet's API.

Install only if you are comfortable sending degree certificate images or PDFs, and the extracted OCR data, to Scnet's remote API under your own API key. Avoid processing documents containing personal data unless that third-party handling is acceptable for your privacy, compliance, and organizational requirements.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill handles degree certificate OCR, which involves highly sensitive personal documents, and the code sends the full file to a third-party Scnet API for processing. Even if this is functionally required, it is a real privacy/security issue when the skill description does not clearly disclose remote transmission, because users may assume local-only OCR and unknowingly exfiltrate PII.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation shows that certificate images and OCR outputs, which may contain highly sensitive personal data, are sent to an external third-party endpoint, but it provides no privacy notice, retention guidance, consent requirement, or data-handling limitations. In the context of a degree certificate OCR skill, this is materially risky because users may reasonably expect local or controlled processing while the skill enables transfer of PII to an outside service.

External Transmission

Medium
Category
Data Exfiltration
Content
# Sugon-Scnet OCR API 文档摘要

## 接口地址
`POST https://api.scnet.cn/api/llm/v1/ocr/recognize`

## 请求头
- `Content-Type: multipart/form-data`
Confidence
83% confidence
Finding
https://api.scnet.cn/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal