Back to skill

Security audit

港澳台通行证识别OCR

Security checks across malware telemetry and agentic risk

Overview

This OCR skill appears purpose-built for passport or travel-permit processing, but it under-discloses sensitive document transmission and stores API credentials in plaintext.

Install only if you are comfortable sending passport or travel-permit images and extracted PII to the skill's external OCR provider. Confirm where the API sends data, avoid using real identity documents unless necessary, remove any stored .env API key when done, and review dependency versions before use in a sensitive or production workflow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (18)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill instructs the agent to read environment configuration, write an API key via scripts.config.set_api_key, and call external network APIs, yet it declares no permissions or trust boundaries. This mismatch can hide sensitive operations from reviewers and users, especially because the skill processes identity-document images and credentials.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The workflow example tells the model to call an unrelated function scripts.tools.search_schools(...) instead of the passport OCR functions. In an agent setting, incorrect tool-routing guidance can cause unintended API calls, parameter confusion, data leakage to the wrong service, or unsafe behavior when handling sensitive identity-document inputs.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code persists an API credential to a local .env file, which creates a plaintext secret at rest on disk. In an OCR skill that processes sensitive identity documents, unnecessary credential persistence increases exposure if the host is shared, backed up insecurely, or the project directory is later disclosed.

Missing User Warnings

High
Confidence
97% confidence
Finding
This skill handles highly sensitive identity-document images and extracted PII, but it does not warn users that their document content may be transmitted to an external API service. Because passports and travel permits contain names, document numbers, dates of birth, and MRZ data, missing privacy notice and consent materially increases the risk of unauthorized disclosure and compliance violations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instruction to directly display and presumably process raw API responses can expose full identity-document data back to the user interface, logs, traces, or downstream tools without minimization. For OCR of travel permits, raw responses may contain complete PII and MRZ content, increasing accidental disclosure and over-retention risks.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The function writes the API key to a persistent .env file without any user-facing warning, confirmation, or indication of retention. This is dangerous because users may believe they are supplying a temporary credential while the skill silently stores it in plaintext for future reuse.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The function sends identity-document imagery or extracted data to an external API via call_api, but this file provides no consent notice, minimization, or handling guidance for highly sensitive personal data. Because the skill processes travel permits and MRZ data, users may unknowingly transmit regulated identity information to a third party, creating privacy, compliance, and data-leakage risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This variant transmits a base64-encoded image of a permit document to an external API, which is still raw sensitive identity data despite encoding. Sending full document images off-box without warning or consent increases exposure of names, document numbers, birth dates, and MRZ contents if the external service, logs, or intermediaries are compromised.

Credential Access

High
Category
Privilege Escalation
Content
default_year: int = 2025

    def model_post_init(self, __context):
        # 强制从 .env 文件读取 XBY_APIKEY
        env_path = Path(".env")
        if env_path.exists():
            content = env_path.read_text(encoding="utf-8")
Confidence
91% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
def model_post_init(self, __context):
        # 强制从 .env 文件读取 XBY_APIKEY
        env_path = Path(".env")
        if env_path.exists():
            content = env_path.read_text(encoding="utf-8")
            for line in content.splitlines():
Confidence
91% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
def save_api_key_to_env(api_key: str) -> bool:
    """将API key保存到.env文件"""
    try:
        env_path = Path(".env")
        lines = []
        if env_path.exists():
            lines = env_path.read_text(encoding="utf-8").splitlines()
Confidence
94% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
def set_api_key(api_key: str) -> bool:
    """设置API key并持久化到.env"""
    if not api_key or not api_key.strip():
        return False
    api_key = api_key.strip()
Confidence
93% confidence
Finding
.env"

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
92% confidence
Finding
requests>=2.31.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
90% confidence
Finding
pydantic>=2.7.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
90% confidence
Finding
pydantic-settings>=2.2.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
91% confidence
Finding
python-dotenv>=1.0.1

Known Vulnerable Dependency: requests==2.31.0 — 5 advisory(ies): CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi); CVE-2026-25645 (Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility func) +2 more

Medium
Category
Supply Chain
Confidence
95% confidence
Finding
requests==2.31.0

Known Vulnerable Dependency: python-dotenv==1.0.1 — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low
Category
Supply Chain
Confidence
83% confidence
Finding
python-dotenv==1.0.1

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.