ClawHub

Marriage Certificate Ocr

Security checks across malware telemetry and agentic risk

Overview

This is a cloud OCR skill that sends user-selected marriage-certificate files to Scnet for extraction, which is sensitive but consistent with its stated purpose.

Install only if you are comfortable sending marriage-certificate images and extracted identity details to Scnet's OCR service. Verify SCNET_API_BASE before use, keep the API key in the local .env file with restricted permissions, and avoid uploading documents unless you have consent and a privacy/compliance basis for processing them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation indicates it reads local files, invokes Python/shell commands, and sends data over the network, but it does not declare corresponding permissions. This creates a transparency and least-privilege problem: users and host frameworks may not realize that local images and extracted sensitive personal data are transmitted to an external OCR service.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document describes uploading marriage-certificate images and receiving extracted personal data from a third-party OCR API, but it does not clearly warn that highly sensitive identity information will be transmitted off-platform. In this skill context, the data includes names, birth dates, ID numbers, and registration details, so omission of disclosure and handling guidance materially increases privacy, compliance, and data-exposure risk.

External Transmission

Medium
Category
Data Exfiltration
Content
SCNET_API_KEY=your_scnet_api_key_here

# API 基础地址(一般无需修改)
SCNET_API_BASE=https://api.scnet.cn/api/llm/v1
```
2. 添加:`SCNET_API_KEY=你的密钥`
3. 设置文件权限为 600(仅所有者可读写)
Confidence
94% confidence
Finding
https://api.scnet.cn/

External Transmission

Medium
Category
Data Exfiltration
Content
| 变量名 | 默认值 | 说明 |
|--------|--------|------|
| SCNET_API_KEY | 必需 | Scnet API 密钥 |
| SCNET_API_BASE | https://api.scnet.cn/api/llm/v1 | API 基础地址(一般无需修改) |

### 输出
Confidence
91% confidence
Finding
https://api.scnet.cn/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal