ClawHub

Local GLM OCR with llama.cpp on AIPC(no API Key)

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate local OCR skill, but its setup modifies the Python environment and runs downloaded components in ways users should review first.

Install only if you trust the GitHub, HuggingFace, ModelScope, and PyPI sources involved. Prefer running setup in an isolated Python environment, reviewing the downloaded binary source, and avoiding automatic pip installs unless you accept that they can modify your environment with your user privileges.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
files = ["GLM-OCR-Q8_0.gguf", "mmproj-GLM-OCR-Q8_0.gguf"]

    if source == "ms":
        subprocess.run(
            [sys.executable, "-m", "pip", "install", "modelscope", "-q"], check=True
        )
        from modelscope.hub.file_download import model_file_download
Confidence
88% confidence
Finding
subprocess.run( [sys.executable, "-m", "pip", "install", "modelscope", "-q"], check=True )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(f"Downloading {fname} ...")
            model_file_download("ggml-org/GLM-OCR-GGUF", file_path=fname, local_dir=model_dir)
    else:
        subprocess.run(
            [sys.executable, "-m", "pip", "install", "huggingface_hub", "-q"], check=True
        )
        # Uncomment the next line to use the HF mirror (recommended in China):
Confidence
88% confidence
Finding
subprocess.run( [sys.executable, "-m", "pip", "install", "huggingface_hub", "-q"], check=True )

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Installing packages at runtime is not necessary for OCR logic itself and materially expands the attack surface by allowing new code to be fetched and executed on the endpoint. In the context of a skill advertised as local OCR, this capability is riskier because users may not expect installer-like behavior that modifies the Python environment.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal