ClawHub

发票票据识别虾

Security checks across malware telemetry and agentic risk

Overview

This is a coherent invoice OCR skill, but invoices, API keys, and exported files should be treated as sensitive.

Install only if your organization allows invoice images and tax data to be processed by the configured OCR, model, tax-verification, or Feishu providers. Use scoped API keys in environment variables, confirm the exact input folders and output paths, review extracted results before uploads, and store exported JSON or Excel files in a protected location.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Tainted flow: 'token_url' from os.environ.get (line 40, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
# 获取 access_token
    token_url = f"https://aip.baidubce.com/oauth/2.0/token?grant_type=client_credentials&client_id={api_key}&client_secret={secret_key}"
    token = requests.post(token_url).json().get("access_token")

    # 调用发票识别
    with open(image_path, "rb") as f:
Confidence
79% confidence
Finding
token = requests.post(token_url).json().get("access_token")

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill instructs the agent to download invoice images locally, invoke scripts, access environment variables for OCR credentials, write output files, and send invoice data to external OCR services, but it declares no permissions or capability boundaries. Because invoices contain sensitive financial and tax data, undeclared file, network, and secret access increases the risk of silent exfiltration, overbroad tool use, and unsafe handling of credentials and documents.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill processes invoices by downloading them to local storage and may transmit their contents to Baidu, Alibaba, or an AI vision model, yet the description does not clearly disclose the privacy and compliance implications. This is dangerous because invoices often contain personally identifiable information, tax identifiers, company details, and financial amounts, and users may not realize their documents are being persisted locally or sent to third parties.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Invoice images and extracted tax data are sensitive financial records, and this skill transmits them to external OCR and verification services without explicit user-facing disclosure or consent gating. In this skill context, that is more dangerous because users may assume local processing while documents can contain PII, tax IDs, addresses, and payment information.

Missing User Warnings

Low
Confidence
90% confidence
Finding
Batch mode silently writes extracted invoice contents to JSON or Excel on disk, which can leave sensitive financial and personal data in locations with weak filesystem protections or later accidental sharing. For an invoice-processing skill, persistent export is expected functionality but still creates a real confidentiality risk if not disclosed and controlled.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal