ClawHub

Doc Ocr Skills

Security checks across malware telemetry and agentic risk

Overview

This is a coherent OCR skill, but users should treat its downloaded binary installer and optional Gemini cloud processing as important trust and privacy considerations.

Install only if you trust the publisher and the GitHub release binary. Safer choices are to inspect the installer first, build from source, or use verified checksums if the publisher provides them. Use RapidOCR or PaddleOCR for private documents; use Gemini only when uploading the selected document contents to Google’s cloud service is acceptable, and protect the API key stored in ~/.ocr/config.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill invokes shell commands and an installer script, but it does not declare any permissions or operational risks to the user. This creates a trust gap: consumers may believe the skill only performs OCR when it also requires command execution and local system modification, increasing the chance of unintended execution in sensitive environments.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose is OCR, but the installation path includes downloading an executable binary, detecting host OS/architecture, and installing software locally. That mismatch is security-relevant because users may not expect network retrieval and execution of platform-specific binaries, which materially expands the attack surface and supply-chain risk.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The installer downloads a platform-specific executable from a remote GitHub release and installs it locally without any integrity verification such as a checksum or signature check. Even if the OCR purpose may justify installing a helper binary, the lack of trust validation means a compromised release asset, repository, or network path could result in arbitrary code execution on the host.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
This script fetches an executable from GitHub and writes it into the skill directory, creating a supply-chain risk because the downloaded file is trusted implicitly. In the context of an OCR skill, downloading a native OCR utility can be functionally relevant, but doing so without provenance checks, size/type validation, or checksum verification makes the installation path unsafe.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README promotes a cloud OCR engine but does not warn users that document contents will be transmitted to an external service for processing. For OCR workloads, inputs commonly contain sensitive personal, financial, legal, or proprietary information, so omission of a privacy/data-handling warning can cause users to expose confidential documents unintentionally.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README promotes a cloud OCR engine but does not clearly warn that document contents will be transmitted to an external Gemini API for processing. For OCR on scanned PDFs and images, this can expose sensitive personal, financial, legal, or proprietary data, so missing disclosure creates a real privacy and compliance risk even if the behavior is expected by the software design.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The Gemini engine sends document contents to a cloud service, but the skill does not clearly warn users of that data flow in the description or quick-start guidance. This can lead to accidental disclosure of sensitive documents, especially if users assume all OCR modes are local because PaddleOCR and RapidOCR are local options.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal