Back to skill

Security audit

验证码识别OCR

Security checks across malware telemetry and agentic risk

Overview

This captcha OCR skill appears to call a real external API, but it also persists an API key locally and contains copied Gaokao/MCP scaffolding that makes its scope unclear.

Install only if you trust xiaobenyang.com with both the API key and captcha images you submit. Treat the saved .env API key as a local secret, avoid using sensitive or account-bound captchas, and prefer a version that removes the Gaokao copy-paste residue, documents the third-party upload clearly, and uses a proper secret store.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (25)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill documents capabilities to read environment variables, write configuration, access files, and call a remote API, yet it declares no permissions. This weakens user visibility and policy enforcement, increasing the chance that sensitive operations like API-key storage and outbound data transfer occur without informed consent.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The skill claims to perform captcha OCR, but the documented behavior also includes API-key persistence, local config access, and a generic remote tool-calling client. This mismatch obscures the true trust boundary: users may think they are using a narrow OCR utility while the skill can store secrets and transmit data externally.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The workflow contains unrelated school-search invocation examples, indicating copied or inconsistent operating instructions. Such documentation drift can cause the agent to select the wrong tool pattern or normalize unsafe generic tool-calling behavior beyond the stated OCR purpose.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The project structure references a different skill/domain, suggesting this package may have been repurposed without a full security review. That inconsistency increases the risk of hidden functionality, stale endpoints, or broader capabilities than the user-facing OCR description implies.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This OCR skill's configuration contains unrelated Gaokao/MCP remote-service identifiers and API credential handling, which materially deviates from the declared captcha OCR purpose. Such capability expansion increases the chance that the skill can silently interact with external infrastructure and process secrets not needed for OCR, creating unnecessary exfiltration and supply-chain risk.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code persists an API key into a local .env file even though the skill's stated purpose is only captcha OCR, and no necessity or consent flow is shown. Persisting secrets to disk enlarges the attack surface through accidental check-in, local disclosure, and reuse by unrelated components on the same host.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The class docstring identifies the component as a Gaokao skill, contradicting the published captcha OCR description. This mismatch is a strong indicator of copied or repurposed code and undermines trust boundaries, because hidden functionality and undeclared dependencies are more likely in mislabeled skills.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill asks users to provide image URLs or base64-encoded image data but does not warn that this content will be sent to an external OCR service. Users may unknowingly transmit sensitive images, tokens, or session-related captcha material to a third party without informed consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The function writes an API key to .env without any user-facing warning, confirmation, or indication of persistence. Silent secret persistence can surprise operators, violate least astonishment, and leave credentials on disk where they may be exposed through backups, logs, or repository mistakes.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The function forwards a user-supplied image URL to an external API, but this file provides no disclosure, consent, or indication that captcha images will leave the local skill boundary. Captcha images can contain sensitive or session-bound data, and silent transmission to a third party creates a privacy and data-governance risk even if the API call is functionally intended.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This function sends raw base64-encoded image contents to an external API without any warning or transparency in the code interface shown here. Because the full image payload is transmitted off-platform, users may unknowingly expose sensitive visual data, making this a real privacy and compliance concern.

Ssd 3

Medium
Confidence
98% confidence
Finding
The skill instructs the agent to solicit an API key through conversation and persist it locally, but it does not define boundaries on storage security, masking, reuse, or later disclosure. Conversation-collected secrets are especially sensitive because they may be logged, echoed, or reused across sessions if not tightly controlled.

Ssd 3

Medium
Confidence
96% confidence
Finding
The directive to directly display raw API response data can expose sensitive or unexpected content returned by the external service, including identifiers, debugging details, or provider metadata. Raw passthrough also reduces the chance to filter malicious or privacy-impacting content before presentation to the user.

Credential Access

High
Category
Privilege Escalation
Content
model_config = SettingsConfigDict(
        env_prefix="XBY_GAOKAO_",
        env_file=".env",
        env_file_encoding="utf-8",
        extra="ignore",
    )
Confidence
90% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
default_year: int = 2025

    def model_post_init(self, __context):
        # 强制从 .env 文件读取 XBY_APIKEY
        env_path = Path(".env")
        if env_path.exists():
            content = env_path.read_text(encoding="utf-8")
Confidence
96% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
def model_post_init(self, __context):
        # 强制从 .env 文件读取 XBY_APIKEY
        env_path = Path(".env")
        if env_path.exists():
            content = env_path.read_text(encoding="utf-8")
            for line in content.splitlines():
Confidence
96% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
if line.startswith("XBY_APIKEY="):
                    self.api_key = line.split("=", 1)[1].strip()
                    break
        # 如果环境变量有值,覆盖 .env 的值
        env_val = os.getenv("XBY_APIKEY", "")
        if env_val:
            self.api_key = env_val
Confidence
88% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
def save_api_key_to_env(api_key: str) -> bool:
    """将API key保存到.env文件"""
    try:
        env_path = Path(".env")
        lines = []
        if env_path.exists():
            lines = env_path.read_text(encoding="utf-8").splitlines()
Confidence
97% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
def set_api_key(api_key: str) -> bool:
    """设置API key并持久化到.env"""
    if not api_key or not api_key.strip():
        return False
    api_key = api_key.strip()
Confidence
95% confidence
Finding
.env"

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
93% confidence
Finding
requests>=2.31.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
88% confidence
Finding
pydantic>=2.7.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
88% confidence
Finding
pydantic-settings>=2.2.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
94% confidence
Finding
python-dotenv>=1.0.1

Known Vulnerable Dependency: requests==2.31.0 — 5 advisory(ies): CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi); CVE-2026-25645 (Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility func) +2 more

Medium
Category
Supply Chain
Confidence
97% confidence
Finding
requests==2.31.0

Known Vulnerable Dependency: python-dotenv==1.0.1 — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low
Category
Supply Chain
Confidence
84% confidence
Finding
python-dotenv==1.0.1

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.