Education Certificate Ocr

Security checks across malware telemetry and agentic risk

Overview

This is a cloud OCR skill that sends a user-selected certificate file to Scnet for recognition, which is expected for its purpose but involves sensitive documents.

Install only if you are comfortable sending certificate images or PDFs to Scnet's remote OCR service. Avoid using it on documents containing unnecessary personal data unless you understand the provider's privacy, retention, and compliance terms.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (3)

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The documentation directs clients to upload images, PDFs, or compressed archives containing highly sensitive identity and education records to a third-party OCR endpoint using a bearer token, but it provides no warning, consent, minimization guidance, or handling requirements for personal data. In the context of an education certificate OCR skill, this is especially sensitive because the example response includes identity-card fields, addresses, ID numbers, and stamp data, increasing the risk of privacy violations, regulatory noncompliance, and unintended exfiltration of personal information.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script uploads the user-supplied certificate file to a third-party OCR API, but it does not present a clear runtime warning or require explicit consent before transmitting potentially sensitive personal and education data off-host. In this skill context, the files likely contain PII such as names, certificate numbers, majors, schools, and graduation dates, so silent external transfer creates a meaningful privacy and compliance risk.

External Transmission

Medium

Category: Data Exfiltration
Content: # Sugon-Scnet OCR API 文档摘要 ## 接口地址 `POST https://api.scnet.cn/api/llm/v1/ocr/recognize` ## 请求头 - `Content-Type: multipart/form-data`
Confidence: 92% confidence
Finding: https://api.scnet.cn/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal