Back to skill

Security audit

手写文本OCR

Security checks across malware telemetry and agentic risk

Overview

This OCR skill does what it advertises, but it handles sensitive images and API keys with weak disclosure and plaintext persistence.

Review this skill before installing. Use it only with a service-specific XiaoBenYang API key you are comfortable storing locally, keep .env out of source control, and avoid submitting signatures, identity documents, financial forms, or confidential handwriting unless you accept that the image data will be sent to an external OCR API.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (19)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documentation directs use of environment variables, persistent configuration writes, and external API calls, but no explicit permission declaration or user-facing consent boundary is present. This increases the risk that the skill will access local config and transmit user-supplied image data or secrets to an external service without adequate transparency or enforcement.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The workflow includes an unrelated example call to `search_schools`, which contradicts the stated OCR-only toolset and can mislead an agent into selecting or invoking the wrong function. In an agentic environment, contradictory instructions increase prompt-surface ambiguity and can cause unintended data handling or execution paths.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The configuration code is inconsistent with the declared handwriting OCR purpose: it is labeled for a gaokao skill, points to an unrelated MCP service, and explicitly reads, stores, and exposes an API key under a different namespace. This mismatch strongly suggests hidden cross-skill integration or credential collection beyond the user-visible function, which is dangerous because users may provide secrets to a skill that does not need them.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Persisting an externally supplied API key to .env and mutating process environment variables is not justified by a local handwriting OCR skill and creates a durable secret-handling path that can be abused. In the context of a mismatched skill, this looks like unauthorized credential capture/persistence rather than necessary application behavior.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The docstring identifies the code as a gaokao skill configuration, directly contradicting the advertised handwriting OCR purpose. This kind of identity mismatch is a strong supply-chain red flag because it suggests code reuse from another capability or intentional disguise of the skill's real behavior.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill asks users to submit handwritten images, including signatures and forms, to an external OCR API without warning that highly sensitive personal data may be transmitted off-platform. This can lead users to disclose credentials, identity information, or regulated personal data without informed consent or minimization.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The function writes the API key in plaintext to .env without any user-facing disclosure, consent flow, or warning about persistence. This increases the risk of accidental secret exposure through source control, backups, logs, shared workspaces, or later local compromise.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The function forwards a user-supplied image URL to an external OCR API, which means potentially sensitive handwritten content is transmitted off-system. Even though this is the tool's intended purpose, the file provides no explicit notice, consent mechanism, or data-handling constraints, so users may unknowingly expose personal or confidential information.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This function sends raw base64-encoded image contents directly to an external API for OCR, which can expose highly sensitive handwritten notes, forms, or signatures. Base64 input often contains the full original document payload, so absent clear disclosure and safeguards, this creates a real privacy and data-exfiltration risk.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs the agent to ask the user for an API key in natural language and persist it via configuration, creating a credential collection and storage workflow outside a secure secret-management channel. This is dangerous because users may disclose secrets into chat context, logs, or recoverable local files, enabling credential theft or misuse.

Ssd 3

Medium
Confidence
90% confidence
Finding
The instruction to directly reorganize and display `result["raw"]` encourages unfiltered disclosure of third-party API output. If the OCR service returns sensitive text, metadata, error traces, or debugging details, the agent may expose information that should be redacted or summarized first.

Credential Access

High
Category
Privilege Escalation
Content
model_config = SettingsConfigDict(
        env_prefix="XBY_GAOKAO_",
        env_file=".env",
        env_file_encoding="utf-8",
        extra="ignore",
    )
Confidence
88% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
default_year: int = 2025

    def model_post_init(self, __context):
        # 强制从 .env 文件读取 XBY_APIKEY
        env_path = Path(".env")
        if env_path.exists():
            content = env_path.read_text(encoding="utf-8")
Confidence
95% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
def model_post_init(self, __context):
        # 强制从 .env 文件读取 XBY_APIKEY
        env_path = Path(".env")
        if env_path.exists():
            content = env_path.read_text(encoding="utf-8")
            for line in content.splitlines():
Confidence
95% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
if line.startswith("XBY_APIKEY="):
                    self.api_key = line.split("=", 1)[1].strip()
                    break
        # 如果环境变量有值,覆盖 .env 的值
        env_val = os.getenv("XBY_APIKEY", "")
        if env_val:
            self.api_key = env_val
Confidence
90% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
def save_api_key_to_env(api_key: str) -> bool:
    """将API key保存到.env文件"""
    try:
        env_path = Path(".env")
        lines = []
        if env_path.exists():
            lines = env_path.read_text(encoding="utf-8").splitlines()
Confidence
92% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
def set_api_key(api_key: str) -> bool:
    """设置API key并持久化到.env"""
    if not api_key or not api_key.strip():
        return False
    api_key = api_key.strip()
Confidence
90% confidence
Finding
.env"

Known Vulnerable Dependency: requests==2.31.0 — 5 advisory(ies): CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi); CVE-2026-25645 (Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility func) +2 more

Medium
Category
Supply Chain
Confidence
95% confidence
Finding
requests==2.31.0

Known Vulnerable Dependency: python-dotenv==1.0.1 — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low
Category
Supply Chain
Confidence
87% confidence
Finding
python-dotenv==1.0.1

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.