Back to skill

Security audit

营业执照识别OCR

Security checks across malware telemetry and agentic risk

Overview

This OCR skill appears to do the advertised business-license recognition, but it needs review because it stores an API key on disk and sends sensitive document data to an external service with incomplete disclosure and some copy-paste scope mismatches.

Install only if you are comfortable giving this publisher a Xiaobenyang API key and sending business-license images or base64 document contents to its external OCR API. Treat the saved .env key as a persistent plaintext secret, rotate it if exposed, and prefer a disposable or tightly scoped API key.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (20)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill instructs the agent to use environment access, file write, and networked API calls, including persisting an API key, but it declares no permissions or trust boundaries. This creates a real security gap because reviewers and users are not clearly informed that the skill can read configuration, store secrets, and send data externally.

Intent-Code Divergence

Medium
Confidence
85% confidence
Finding
The workflow example references an unrelated function (`search_schools`) in a business-license OCR skill, showing copy-paste inconsistency between documentation and intended behavior. In an agent setting, misleading tool invocation guidance can cause incorrect tool selection, accidental data disclosure to the wrong API path, or unsafe execution patterns.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file’s behavior is materially inconsistent with the declared OCR business-license skill: it configures a different 'gaokao' service, hard-codes a remote MCP identifier, and implements credential persistence logic. This kind of scope mismatch is dangerous because it can cause operators to deploy code that exfiltrates or reuses credentials for an unrelated service under the guise of an OCR skill, reducing trust boundaries and auditability.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code can write an API key to a local .env file and also inject it into the process environment, which exceeds what is normally needed for a simple OCR skill. Persisting secrets this way increases the chance of accidental disclosure through source control, backups, shared workspaces, or later code paths that read environment variables.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The class docstring labels this as a '小笨羊高考Skill配置', directly conflicting with the advertised business-license OCR purpose. In security review, this discrepancy is a strong indicator of repurposed or misplaced code, which can hide unintended network access, credential use, or supply-chain substitution inside a seemingly unrelated skill.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill tells the agent to ask for an API key and persist it with `set_api_key()` but does not disclose where the secret is stored, how long it persists, or who can access it. This is dangerous because users may provide credentials without informed consent, and persistent secret storage increases the risk of leakage or reuse by other components.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill processes sensitive business-license images and explicitly accepts either image URLs or raw base64 document contents, but it does not warn users that these materials will be transmitted to an external OCR service. Because business licenses contain identifying and corporate registration data, undisclosed exfiltration to a third party materially increases privacy and compliance risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The function silently saves the provided API key into .env without any user-facing warning, consent flow, or disclosure of persistence behavior. Secret persistence without notice is risky because users may assume the key is ephemeral while it remains on disk for later unintended access by other tools, users, or commits.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The function forwards a user-provided business license image URL to an external API, which means potentially sensitive corporate and personal information is transmitted off-system. Even if this is necessary for OCR, the file provides no visible notice, consent mechanism, or data-handling constraints, so users may unknowingly disclose regulated or confidential data to a third party.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This function sends raw base64-encoded business license image data to an external API for processing, exposing sensitive registration details and possibly personal information contained in the document. Base64 is only an encoding, not protection, so without a warning or consent flow users may unknowingly transmit sensitive document contents to a third party.

Credential Access

High
Category
Privilege Escalation
Content
default_year: int = 2025

    def model_post_init(self, __context):
        # 强制从 .env 文件读取 XBY_APIKEY
        env_path = Path(".env")
        if env_path.exists():
            content = env_path.read_text(encoding="utf-8")
Confidence
90% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
def model_post_init(self, __context):
        # 强制从 .env 文件读取 XBY_APIKEY
        env_path = Path(".env")
        if env_path.exists():
            content = env_path.read_text(encoding="utf-8")
            for line in content.splitlines():
Confidence
88% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
def save_api_key_to_env(api_key: str) -> bool:
    """将API key保存到.env文件"""
    try:
        env_path = Path(".env")
        lines = []
        if env_path.exists():
            lines = env_path.read_text(encoding="utf-8").splitlines()
Confidence
91% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
def set_api_key(api_key: str) -> bool:
    """设置API key并持久化到.env"""
    if not api_key or not api_key.strip():
        return False
    api_key = api_key.strip()
Confidence
90% confidence
Finding
.env"

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
95% confidence
Finding
requests>=2.31.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
95% confidence
Finding
pydantic>=2.7.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
95% confidence
Finding
pydantic-settings>=2.2.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
95% confidence
Finding
python-dotenv>=1.0.1

Known Vulnerable Dependency: requests==2.31.0 — 5 advisory(ies): CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi); CVE-2026-25645 (Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility func) +2 more

Medium
Category
Supply Chain
Confidence
89% confidence
Finding
requests==2.31.0

Known Vulnerable Dependency: python-dotenv==1.0.1 — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low
Category
Supply Chain
Confidence
78% confidence
Finding
python-dotenv==1.0.1

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.