Image2text Ocr

Security checks across malware telemetry and agentic risk

Overview

This is a cloud OCR skill that uploads a user-specified file to Scnet for text recognition, which matches its stated purpose but requires privacy awareness.

Install only if you are comfortable sending selected images, PDFs, or archives to Scnet for OCR. Use a dedicated API key where possible, keep config/.env permissions restrictive, avoid highly sensitive documents unless Scnet's privacy and retention terms meet your needs, and install dependencies from a trusted package source.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill documentation indicates capabilities to read local files, invoke Python, and send data to a remote OCR API, but it does not declare permissions or clearly constrain those behaviors. This creates a transparency and policy-enforcement gap: an agent may access local files and transmit their contents externally without explicit permission boundaries, increasing the risk of unintended data exposure.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The script sends the user-supplied local file to Scnet's remote OCR API, which is a real external data exfiltration path relative to the skill's simple 'extract text from images' description. This is especially risky because OCR inputs often contain highly sensitive content such as IDs, invoices, bank cards, or business documents, and the code provides no inline consent or disclosure before upload.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The invocation guidance says the AI may automatically trigger the skill for generic OCR-related requests, but it does not require confirmation that the user wants a third-party cloud OCR service or that the referenced file is safe and intended for upload. Overly broad triggering can cause accidental processing and external transmission of sensitive local images when a user only asked for general help.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation instructs the skill to upload user-provided images, PDFs, or archives to a third-party OCR endpoint but does not disclose that the data leaves the local environment or warn about privacy implications. In the context of OCR, uploaded files may contain sensitive personal, financial, legal, or credential material, so the omission can lead to unintended external disclosure.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The code uploads the specified local file to a remote OCR endpoint without any explicit user-facing warning at execution time about transmission of potentially sensitive document contents. In an OCR context, this is significant because users may reasonably expect local text extraction, while the script actually transfers raw document images off-host.

External Transmission

Medium

Category: Data Exfiltration
Content: SCNET_API_KEY=your_scnet_api_key_here # API 基础地址（一般无需修改） SCNET_API_BASE=https://api.scnet.cn/api/llm/v1 ``` 2. 添加：`SCNET_API_KEY=你的密钥` 3. 设置文件权限为 600（仅所有者可读写）
Confidence: 89% confidence
Finding: https://api.scnet.cn/

External Transmission

Medium

Category: Data Exfiltration
Content: | 变量名 | 默认值 | 说明 | |--------|--------|------| | SCNET_API_KEY | 必需 | Scnet API 密钥 | | SCNET_API_BASE | https://api.scnet.cn/api/llm/v1 | API 基础地址（一般无需修改） | ### 输出
Confidence: 88% confidence
Finding: https://api.scnet.cn/

External Transmission

Medium

Category: Data Exfiltration
Content: # Sugon-Scnet OCR API 文档摘要 ## 接口地址 `POST https://api.scnet.cn/api/llm/v1/ocr/recognize` ## 请求头 - `Content-Type: multipart/form-data`
Confidence: 90% confidence
Finding: https://api.scnet.cn/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal