Back to skill

Security audit

驾驶证识别OCR

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-aligned for driver-license OCR, but it sends sensitive ID data to an external API and persists the API key in a plaintext .env file with limited privacy disclosure.

Review this skill before installing if you will process real driver licenses. Use it only if you trust the XiaoBenYang OCR service with license images and extracted identity fields, understand that the API key is stored in plaintext .env, and are comfortable with raw OCR results being shown back to the user.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (21)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill documentation instructs the model to read environment-backed configuration, persist API keys, and call external network APIs, but no explicit permission declaration or user-facing capability disclosure is present. This weakens transparency and policy enforcement around network access, local secret handling, and file writes, making misuse or overreach harder to detect.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The skill contains copied example tool-call guidance referring to unrelated school-search behavior, which shows the documentation is inconsistent with the actual OCR purpose. Such mismatches can cause the agent to invoke the wrong tool patterns or mishandle user input, increasing the chance of unintended data processing in a sensitive document-OCR workflow.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The project structure references a different project name and unrelated code responsibilities, indicating the skill may be repurposed from another package without complete review. In a skill that handles identity documents and API keys, this inconsistency raises the risk of miswired code paths, incorrect endpoints, or accidental disclosure through unexpected components.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill includes functionality to persist an API key into a local .env file and expose helper methods for setting and retrieving it, which is unrelated to the stated driving-license OCR purpose. Persisting secrets locally increases the risk of accidental disclosure through local file access, backups, logs, or source-control mistakes, especially when this behavior is embedded in a skill that appears focused on OCR rather than credential management.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The code can modify both the local .env file and the running process environment, giving the skill write access to configuration state beyond what is needed for document OCR. In a skill context, this broadens the blast radius: compromised or misused code could overwrite credentials, alter downstream behavior, or create persistence that survives beyond a single invocation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill is designed to transmit driver's license images and extracted identity fields to an external OCR API, yet it provides no privacy warning, consent guidance, retention notice, or data-handling explanation. Because driver's licenses contain highly sensitive personal data, users may unknowingly expose regulated identity information to a third party without informed consent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This code transmits OCR input parameters together with an API key to an external service, and the skill context involves highly sensitive personal data from driver licenses. Even if this is expected functionality, the absence of visible consent, minimization, or disclosure controls at this layer creates a real privacy and credential-exposure risk if users are unaware data is leaving the local environment or if the upstream service is improperly trusted or logged.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The API key is written to .env without any clear user-facing warning, consent flow, or indication of storage risks. Silent secret persistence is dangerous because users may assume a temporary in-memory setting while the code creates a durable plaintext secret on disk that can later be exposed.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This skill processes and transmits highly sensitive government ID data, including driver’s license numbers, addresses, birth dates, and archive numbers, to an external API via call_api without any visible consent flow, privacy notice, data handling constraints, or minimization in this file. In the context of OCR for identity documents, silent transmission materially increases privacy, compliance, and abuse risk because users may not understand that regulated personal data is leaving the local environment and being sent to a third-party service.

Ssd 3

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs the model to ask users for an API key in natural language and then store it, creating a credential collection flow that is easy to misuse, mishandle, or retain insecurely. Collecting secrets through conversational prompts increases exposure to logging, transcript retention, accidental echoing, and unclear storage controls.

Ssd 3

Medium
Confidence
96% confidence
Finding
The instruction to directly present raw API/OCR output can expose the full set of extracted driver's-license data, including identity numbers, address, birth date, and other sensitive fields, without redaction or need-based filtering. In this skill context, indiscriminate disclosure is especially risky because the processed documents are government-issued identity records.

Credential Access

High
Category
Privilege Escalation
Content
default_year: int = 2025

    def model_post_init(self, __context):
        # 强制从 .env 文件读取 XBY_APIKEY
        env_path = Path(".env")
        if env_path.exists():
            content = env_path.read_text(encoding="utf-8")
Confidence
78% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
def model_post_init(self, __context):
        # 强制从 .env 文件读取 XBY_APIKEY
        env_path = Path(".env")
        if env_path.exists():
            content = env_path.read_text(encoding="utf-8")
            for line in content.splitlines():
Confidence
78% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
def save_api_key_to_env(api_key: str) -> bool:
    """将API key保存到.env文件"""
    try:
        env_path = Path(".env")
        lines = []
        if env_path.exists():
            lines = env_path.read_text(encoding="utf-8").splitlines()
Confidence
92% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
def set_api_key(api_key: str) -> bool:
    """设置API key并持久化到.env"""
    if not api_key or not api_key.strip():
        return False
    api_key = api_key.strip()
Confidence
90% confidence
Finding
.env"

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
94% confidence
Finding
requests>=2.31.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
91% confidence
Finding
pydantic>=2.7.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
91% confidence
Finding
pydantic-settings>=2.2.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
93% confidence
Finding
python-dotenv>=1.0.1

Known Vulnerable Dependency: requests==2.31.0 — 5 advisory(ies): CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi); CVE-2026-25645 (Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility func) +2 more

Medium
Category
Supply Chain
Confidence
97% confidence
Finding
requests==2.31.0

Known Vulnerable Dependency: python-dotenv==1.0.1 — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low
Category
Supply Chain
Confidence
84% confidence
Finding
python-dotenv==1.0.1

VirusTotal

49/49 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.