ClawHub

发票识别

Security checks across malware telemetry and agentic risk

Overview

The skill performs invoice OCR as advertised, but needs review because it asks users to share and persist an API key and uploads invoice files to a third-party service.

Install only if you are comfortable sending invoice files and an API key to skill.quandianfapiao.com. Prefer passing the API key only for the current run, do not paste it into chat, and avoid letting the skill write it permanently into shell profiles or user environment variables.

Publisher note

使用此技能通过上传发票文件进行 OCR 识别,自动提取发票票面结构化信息。

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill directs the agent to solicit an API key from the user and then persist it in system or shell environment variables, which exceeds the narrow task of OCRing an invoice. Persisting credentials broadens the blast radius: other processes, sessions, or future tasks may access the key, and the user is not given a narrowly scoped, one-time-use alternative.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The documentation instructs executing shell and PowerShell commands to inspect environment configuration before doing OCR. For an invoice-recognition skill, requiring command execution to probe host state is an unjustified expansion of capability and exposes host environment details that are unrelated to the core task.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly tells the agent to persist the provided API key into user profile startup files or user-level environment variables without warning about long-term credential exposure. Persistent storage of secrets is risky because the key may be harvested by other tools, shell history, future sessions, or unrelated workflows, turning a single OCR action into lasting credential compromise.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill uploads invoice files to a remote API endpoint, but the user-facing flow does not clearly warn that potentially sensitive financial documents will be transmitted off-host. Invoices commonly contain personal, financial, and tax data, so silent transmission creates a privacy and compliance risk, especially if users assume processing is local.

Ssd 3

Medium
Confidence
98% confidence
Finding
The script instructs the user to send their API key to the assistant so the assistant can configure and execute the skill. This normalizes credential sharing with an intermediary and can directly expose a secret that grants access to the remote invoice-processing service, enabling unauthorized use or misuse of the account.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal