Mobile Pay Bill Ocr

Security checks across malware telemetry and agentic risk

Overview

The skill appears to perform the advertised OCR task, but it can upload sensitive payment-bill files to an external service without clear privacy and consent guidance.

Install only if you are comfortable sending payment-bill images or PDFs to Scnet's OCR service. Confirm the exact file path before each run, avoid uploading unrelated or unredacted financial records, and review the provider's privacy, retention, and compliance terms before using it with real payment data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation describes uploading OCR input files to a third-party remote endpoint but does not warn that the files and extracted text may include highly sensitive personal and financial data. In the context of a bill/OCR skill for Alipay and WeChat payment records, this omission increases the risk of users or integrators transmitting regulated data without informed consent, proper minimization, or compliance review.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal