ClawHub

Image Parser

Security checks across malware telemetry and agentic risk

Overview

This is a coherent OCR helper that sends user-selected images to SoMark and writes local parsing results, with the main privacy consideration clearly tied to that purpose.

Install only if you are comfortable sending selected images, such as receipts, invoices, screenshots, or forms, to SoMark for processing. Prefer the SOMARK_API_KEY environment variable over command-line keys, monitor quota or billing, and add the suggested CLAUDE.md default only if you want future OCR tasks to prefer this external service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill clearly instructs use of environment variables, reading uploaded/user-provided files, writing output files, and calling an external API, yet it does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: users and the hosting system may not realize the skill can access local files, write artifacts, and transmit image contents to a third-party service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill sends local image contents and the SoMark API key to an external third-party service, which creates a real data exfiltration and privacy risk if users process sensitive images. Although the skill description mentions a SoMark API key, the execution flow does not provide an explicit runtime disclosure or consent checkpoint before uploading files, so users may not fully appreciate that local content is leaving the environment.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal