Back to skill

Security audit

行驶证识别OCR

Security checks across malware telemetry and agentic risk

Overview

The skill is a plausible vehicle-license OCR integration, but it sends sensitive document images to a third-party API and stores the API key in a local .env file with limited privacy and storage disclosure.

Install only if you are comfortable sending vehicle-license images and extracted personal/vehicle identifiers to the Xiaobenyang OCR API. Use a limited-scope API key, avoid submitting documents you cannot share with that provider, and be aware the key is saved locally in a plaintext .env file.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (19)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill declares no permissions while its documented behavior requires environment access, credential storage, file operations, and network calls. This mismatch reduces transparency and can bypass user or platform trust decisions, especially because the skill processes identity-document images and saves API keys.

Intent-Code Divergence

Medium
Confidence
80% confidence
Finding
The documentation tells the model to call an unrelated function `search_schools`, which contradicts the stated OCR-only toolset. In an agent setting, inconsistent tool instructions can cause misrouting, unintended data disclosure to the wrong tool, or unsafe execution paths if similarly named tools exist.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The configuration docstring identifies a completely different skill (高考/gaokao) than the manifested driving-license OCR skill. This mismatch is a supply-chain red flag because it suggests code reuse or repurposing from an unrelated project, making it harder for reviewers to trust that the configuration and secrets handling actually belong to the declared OCR functionality.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The file defines a remote API base URL, MCP identifier, API key, and retry/timeout logic even though the manifested skill is described as a local OCR capability. In this context, hidden external-service integration increases the risk of unexpected data exfiltration, especially because the skill handles sensitive identity-document contents.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill is designed to process highly sensitive identity-document data, including owner, address, engine number, and vehicle identification number, yet it provides no warning about privacy, retention, or third-party transmission. Users may submit regulated personal data without informed consent, increasing the risk of privacy violations, compliance issues, and harmful exposure if the upstream API is compromised or misused.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to ask for an API key and persist it via `set_api_key` without warning the user that the credential will be stored. Silent credential persistence is dangerous because users may disclose secrets without understanding retention scope, storage location, or reuse risk, and the same skill also has file/environment capabilities that raise the sensitivity further.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code persists the API key to a local .env file and exports it into the process environment without any warning, confirmation, or security controls. Storing credentials this way can expose them to accidental disclosure through local file leakage, backups, logs, or downstream subprocesses inheriting environment variables.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This function sends vehicle license data to an external API via call_api without any visible notice, consent flow, or minimization controls in this file. Because vehicle registration images and extracted fields contain sensitive personal and vehicle identifiers, silent transmission to a third party creates a real privacy and data-handling risk if users are unaware or if the endpoint is improperly governed.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This variant transmits the full image contents as base64 to an external API, which can expose the entire vehicle license image and all embedded personal data. Sending raw document images off-platform without any user-facing warning or consent mechanism is a genuine privacy vulnerability, and the base64 form may also increase accidental logging or storage exposure in intermediaries.

Credential Access

High
Category
Privilege Escalation
Content
default_year: int = 2025

    def model_post_init(self, __context):
        # 强制从 .env 文件读取 XBY_APIKEY
        env_path = Path(".env")
        if env_path.exists():
            content = env_path.read_text(encoding="utf-8")
Confidence
92% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
def model_post_init(self, __context):
        # 强制从 .env 文件读取 XBY_APIKEY
        env_path = Path(".env")
        if env_path.exists():
            content = env_path.read_text(encoding="utf-8")
            for line in content.splitlines():
Confidence
92% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
def save_api_key_to_env(api_key: str) -> bool:
    """将API key保存到.env文件"""
    try:
        env_path = Path(".env")
        lines = []
        if env_path.exists():
            lines = env_path.read_text(encoding="utf-8").splitlines()
Confidence
94% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
def set_api_key(api_key: str) -> bool:
    """设置API key并持久化到.env"""
    if not api_key or not api_key.strip():
        return False
    api_key = api_key.strip()
Confidence
90% confidence
Finding
.env"

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
94% confidence
Finding
requests>=2.31.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
94% confidence
Finding
pydantic>=2.7.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
93% confidence
Finding
pydantic-settings>=2.2.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
95% confidence
Finding
python-dotenv>=1.0.1

Known Vulnerable Dependency: requests==2.31.0 — 5 advisory(ies): CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi); CVE-2026-25645 (Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility func) +2 more

Medium
Category
Supply Chain
Confidence
97% confidence
Finding
requests==2.31.0

Known Vulnerable Dependency: python-dotenv==1.0.1 — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low
Category
Supply Chain
Confidence
83% confidence
Finding
python-dotenv==1.0.1

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.