ClawHub
Back to skill

Security audit

Byted Las Document Parse

Security checks across malware telemetry and agentic risk

Overview

This document parser is mostly coherent, but it can automatically upload local PDFs/images and parsed results to external storage when a file path is mentioned, so users should review it carefully before installing.

Install only if you are comfortable sending PDFs, screenshots, scans, extracted text, and images to Bytedance LAS/TOS services. Use scoped TOS credentials and a dedicated bucket, avoid sensitive or regulated documents unless approved, and ask the agent to confirm before processing any local file or generating a download link.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (18)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill clearly uses sensitive capabilities including environment variables, local file reads/writes, and network access, but does not declare permissions in a user-visible way. This weakens policy enforcement and informed consent because the agent may handle credentials and local documents without explicit capability disclosure.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The stated purpose is document parsing, but the documented behavior extends to uploading user files and result archives to object storage, generating presigned links, downloading images, and calling multiple external services. This mismatch is dangerous because users may believe the skill only performs local parsing while their documents and outputs are actually transmitted and stored externally.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The documented `check-and-notify` workflow materially expands the skill from document parsing into downstream data handling: it downloads remote images locally, rewrites content references, packages outputs, and may upload archives to TOS. These side effects increase data movement and persistence, which can expose sensitive document contents or embedded remote resources without an explicit user-confirmed need for those actions.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Optional ZIP upload to TOS is a storage/distribution capability that goes beyond the core parsing purpose and creates a path for exfiltration or unintended retention of parsed document contents and extracted images. In a skill that may process private PDFs, scans, and screenshots, automatic archival/upload features meaningfully raise confidentiality risk.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The utility silently expands from local parsing/output handling into remote archival and presigned sharing of parsed results. In a document/OCR skill, parsed content often contains sensitive user documents, so optional but code-level support for uploading archives and generating download URLs materially increases exfiltration and unintended disclosure risk if enabled by callers or misconfigured defaults elsewhere.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Bundling remote archival plus presigned-link generation into a parsing skill creates a capability mismatch: the skill can not only extract document contents but also package and share them externally. Because the skill is designed to process PDFs, images, and screenshots—which frequently contain confidential data—the context makes this more dangerous than generic utility code, as it facilitates broad exposure of precisely the sensitive content being handled.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill performs actions beyond simple document parsing: it writes outputs to local disk under /tmp and may archive results to TOS, including generating downloadable links. For a skill advertised as a parser, these side effects expand the data exposure surface and can unintentionally persist sensitive document contents outside the immediate parsing flow.

Context-Inappropriate Capability

Medium
Confidence
78% confidence
Finding
The submit path invokes handle_url_input with optional LLM-assisted processing and passes the LAS API key into that flow. This introduces an unnecessary trust boundary for a document parsing skill, potentially sending file paths, URLs, or other sensitive inputs through an auxiliary component not obviously required for parsing, increasing the risk of data leakage or unintended network access.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Long-image processing can transmit the full image content to an external LLM service for crop analysis, which expands the skill's data-exposure surface beyond simple local conversion and upload. Because document/image parsing often handles sensitive content, sending image bytes off-box without an explicit trust boundary, opt-in, or data-classification guard creates a real confidentiality risk.

Vague Triggers

High
Confidence
97% confidence
Finding
The description instructs the agent to invoke this skill for essentially any PDF, image, long screenshot, local file path, URL, or TOS path, even without an explicit user request to parse content. This creates an overbroad trigger surface that can cause unintended access to user-provided files or remote resources, increasing the chance of unauthorized data handling and surprise exfiltration to the external parsing service.

Natural-Language Policy Violations

Medium
Confidence
98% confidence
Finding
The natural-language directive says the system "MUST use this skill WHENEVER" certain file types or paths are present, which overrides normal user opt-in expectations. In a skill that can process local files, TOS objects, and URLs using privileged environment-backed access, forced invocation is dangerous because it may automatically transmit sensitive documents to an external service without the user's informed consent.

Vague Triggers

High
Confidence
94% confidence
Finding
The skill instructs automatic invocation whenever a PDF/image path or URL appears, even without an explicit parsing request. Broad auto-triggering increases the chance of unintended exfiltration of sensitive files or URLs to remote services, especially in contexts where the user only referenced a file rather than consenting to upload or OCR it.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill lacks a prominent warning that files and generated outputs may be uploaded to external services and stored remotely. Without this notice, users may unknowingly send confidential documents, extracted text, or derived archives outside the local environment, creating privacy, compliance, and retention risks.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation states that when a local file path is provided, the script will automatically upload the file to TOS before calling the parsing API, but it does not clearly warn that the document leaves the local environment and is transferred to remote storage. In a skill explicitly designed to auto-trigger on local file paths, PDFs, images, and screenshots, this creates a meaningful risk of unintended exfiltration of sensitive user data such as internal documents, IDs, contracts, or screenshots.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation describes automatic local downloads, Markdown link rewriting, and optional ZIP upload, but does not prominently warn that user data and remote-referenced content will be copied, transformed, and possibly redistributed. Lack of explicit notice and consent is especially risky here because the skill is designed to process arbitrary PDFs/images, which often contain sensitive data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation explicitly states that when given a local file path, the script will automatically detect the file type, upload it to TOS using configured credentials, and submit it for parsing, but it does not warn users that local files will be transmitted off-host. In an agent setting, this creates a real privacy and data-exfiltration risk because users may supply sensitive local documents expecting local-only processing.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code writes the complete API response to disk as result.full.json without any indication of consent, retention policy, or sensitivity filtering. For a document parsing skill, full responses can include extracted text, layout metadata, image URLs, and other potentially sensitive document contents, so silent persistence increases the risk of local data leakage, over-retention, and later unintended access by other processes or users on the host.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code sends image content and metadata to an external LLM endpoint but does not provide an in-band warning, consent checkpoint, or clear disclosure at the point of transmission. In the context of a document parsing skill likely to receive private PDFs, screenshots, IDs, contracts, or scans, this omission materially increases the risk of unintended sensitive-data disclosure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal