ClawHub

ceac-visa-status-checker

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it checks CEAC visa status using user-provided case details and Zhipu captcha OCR, with sensitive but purpose-aligned data handling.

Install only if you are comfortable storing CEAC identifiers, passport-related inputs, and a Zhipu API key in a local .env file, sending the visa-status form data to CEAC, and sending captcha images to Zhipu for OCR. Keep the .env file private, consider using a dedicated Zhipu key, and avoid excessive automated checks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill asks for visa case identifiers, passport number, surname, and an API key, then uses a third-party vision model to solve captchas, but it does not clearly warn users that visa-related data may be transmitted to an external OCR provider. This is dangerous because applicants may unknowingly expose sensitive personal and immigration-related information to a third party, creating privacy, compliance, and data-handling risks.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill sends CEAC captcha images to Zhipu's external vision API to solve them, which discloses data derived from a government visa-status workflow to a third party without any consent, notice, or data-minimization controls in the code. In this context, the captcha image is tied to a visa case lookup flow and the tool also processes passport number, surname, and case number, making third-party transmission materially sensitive and increasing privacy, compliance, and account/data-handling risk.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal