Back to skill

Security audit

银行卡识别OCR

Security checks across malware telemetry and agentic risk

Overview

This bank-card OCR skill uses a third-party API and stores an API key locally, but its disclosure and scoping are not clear enough for sensitive financial images.

Install only if you trust the Xiaobenyang service with bank-card images and OCR results. Avoid uploading full card images unless necessary, use a limited-scope API key, keep .env out of version control, and review or remove the Gaokao/search_schools leftovers and generic API dispatch before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (23)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill documentation describes capabilities that involve environment access, file read/write, and network use, yet no permissions are declared. This creates a transparency and governance gap: users and hosting platforms may not realize the skill can persist secrets, read local data, or transmit content externally.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The example tool call references an unrelated function, 'search_schools', in a bank-card OCR skill. This kind of copy-paste mismatch can misroute agent behavior, cause invocation of unintended tools, or confuse reviewers about the actual execution path.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill is advertised as bank-card OCR and validation, but this file exposes a generic remote tool-invocation primitive driven by caller-controlled mcp_id, tool_name, and params. That mismatch creates hidden capability expansion: any component that can reach this function may invoke unintended upstream tools or process unrelated sensitive data, which is especially risky in a financial-data context.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code permits arbitrary outbound API invocation by placing caller-controlled tool_name and mcp_id directly into request headers for a generic /api endpoint. In a skill supposedly limited to bank-card OCR, this broad dispatch mechanism can be abused to access unintended upstream functionality, turning the skill into a general proxy for remote actions or data handling beyond its declared scope.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file’s configuration is clearly for a different product/domain ('高考', XBY_GAOKAO, mcp.xiaobenyang.com) than the declared bank-card OCR skill. This kind of domain mismatch is a strong supply-chain integrity issue because it can cause the skill to send data or credentials to an unrelated backend, violating user expectations and potentially exposing sensitive OCR-derived financial data.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The code comments and settings behavior contradict each other: the class uses the XBY_GAOKAO_ prefix, but the post-init logic manually reads XBY_APIKEY from .env and environment variables. This inconsistency increases the chance of misconfiguration, accidental credential loading from the wrong namespace, and hidden behavior that operators may not expect.

Missing User Warnings

High
Confidence
96% confidence
Finding
This skill processes highly sensitive bank card images and sends them to an external API, but the documentation provides no explicit warning, consent flow, or data-handling notice. Users may unknowingly expose full PAN data, issuer information, and associated image content to a third party, creating privacy, compliance, and financial-risk concerns.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The request sends both an API credential and user-supplied params to an external service, yet the code contains no consent, disclosure, minimization, or redaction controls. Because the skill processes bank-card data, silent transmission to an upstream endpoint increases the risk of privacy violations, unauthorized data sharing, and accidental exposure of sensitive financial information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The helper persists an API key into a local .env file automatically, without any user confirmation, warning, or controls around file permissions. Persisting secrets by default can leave credentials readable by other local users, accidentally committed to version control, or reused by unrelated code in the same workspace.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This function sends bank-card image data to an external API via call_api, but the code shown provides no explicit notice, consent flow, or data-handling safeguard for highly sensitive financial information. Because bank card images can expose PANs and related financial metadata, silent external transmission increases privacy, compliance, and data-exfiltration risk if users or integrators are unaware of where the data is processed.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This function transmits base64-encoded bank-card image content to an external API, again without any explicit warning or indication of third-party transfer in the code. Encoding the image as base64 does not reduce sensitivity; it still contains full payment-card image data, so undisclosed remote processing can create significant privacy, compliance, and unauthorized disclosure risks.

Ssd 3

Medium
Confidence
94% confidence
Finding
The instructions tell the model to ask the user for an API key and then save it for continued use, creating a natural-language secret collection and retention workflow. This increases the chance of insecure handling, accidental logging, reuse beyond user intent, and unclear boundaries around credential storage.

Ssd 3

Medium
Confidence
92% confidence
Finding
The skill instructs the model to directly present raw API output to the user without any filtering or minimization step. If the external API returns full card numbers, metadata, debugging details, or other sensitive fields, the assistant may disclose more information than necessary.

Credential Access

High
Category
Privilege Escalation
Content
default_year: int = 2025

    def model_post_init(self, __context):
        # 强制从 .env 文件读取 XBY_APIKEY
        env_path = Path(".env")
        if env_path.exists():
            content = env_path.read_text(encoding="utf-8")
Confidence
92% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
def model_post_init(self, __context):
        # 强制从 .env 文件读取 XBY_APIKEY
        env_path = Path(".env")
        if env_path.exists():
            content = env_path.read_text(encoding="utf-8")
            for line in content.splitlines():
Confidence
92% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
def save_api_key_to_env(api_key: str) -> bool:
    """将API key保存到.env文件"""
    try:
        env_path = Path(".env")
        lines = []
        if env_path.exists():
            lines = env_path.read_text(encoding="utf-8").splitlines()
Confidence
94% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
def set_api_key(api_key: str) -> bool:
    """设置API key并持久化到.env"""
    if not api_key or not api_key.strip():
        return False
    api_key = api_key.strip()
Confidence
93% confidence
Finding
.env"

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
92% confidence
Finding
requests>=2.31.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
92% confidence
Finding
pydantic>=2.7.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
91% confidence
Finding
pydantic-settings>=2.2.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
91% confidence
Finding
python-dotenv>=1.0.1

Known Vulnerable Dependency: requests==2.31.0 — 5 advisory(ies): CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi); CVE-2026-25645 (Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility func) +2 more

Medium
Category
Supply Chain
Confidence
95% confidence
Finding
requests==2.31.0

Known Vulnerable Dependency: python-dotenv==1.0.1 — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low
Category
Supply Chain
Confidence
83% confidence
Finding
python-dotenv==1.0.1

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.