Back to skill

Security audit

文本识别OCR

Security checks across malware telemetry and agentic risk

Overview

This OCR skill appears to do remote text recognition, but it needs review because it stores an API key in a local .env file and does not clearly warn that uploaded images are sent to a third-party service.

Install only if you are comfortable sending images or image URLs to Xiaobenyang's remote OCR API and storing the XBY_APIKEY in a plaintext .env file in the working directory. Avoid using it on IDs, invoices, screenshots with secrets, or other sensitive documents unless you have reviewed the provider and storage behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (21)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documentation describes capabilities that require environment access, file read/write, and network use, but it does not declare any permissions or present those capabilities transparently. This can bypass user and platform expectations about what the skill will access, especially since it requests and stores an API key and sends image data to an external service.

Intent-Code Divergence

Medium
Confidence
73% confidence
Finding
The project structure references a gaokao/school-search context that contradicts the OCR identity, indicating the skill may be repurposed from another project without proper review. Such mismatches can conceal undocumented functionality or cause operators to trust a skill whose actual backend behavior differs from its stated purpose.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This OCR skill includes code to manage and persist an API key, which is outside the stated purpose of local text recognition and indicates capability drift. While API-backed OCR can be legitimate, storing and exposing credential-management behavior in a mismatched skill increases the chance of hidden external data exfiltration or undeclared remote service usage.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code writes an API key directly to a local .env file, creating a plaintext credential at rest on disk. In the context of an OCR skill, this capability is not justified by the declared functionality and increases the risk of credential leakage through backups, logs, source packaging, or other local access.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The class docstring references a different domain ('高考') than the manifest's OCR description, which is a strong indicator of code reuse, repackaging, or mismatched provenance. That discrepancy makes the skill context more dangerous because hidden behaviors may not correspond to the advertised OCR function, undermining trust and reviewability.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill asks for image URLs or base64-encoded image data but does not warn users that this content will be transmitted to an external OCR API. Images often contain sensitive personal, financial, or credential information, so lack of disclosure undermines informed consent and increases privacy risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This code sends both user-supplied request parameters and an API credential to an external service via HTTP headers/body, but the file contains no user-facing disclosure, consent, or data-classification guardrails. In an OCR skill, uploaded images and extracted text may contain sensitive personal, financial, or credential data, so silent transmission to a third-party upstream increases privacy and compliance risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill stores the provided API key to disk and exports it into the process environment without any visible warning, consent flow, or transparency to the user. Silent secret persistence increases the risk that users disclose credentials they did not expect to be retained, and it broadens exposure to other code running in the same environment.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The `ocr` function forwards a user-supplied image URL to an external API via `call_api` without any visible disclosure, consent flow, or data-handling notice in this file. Because OCR inputs commonly contain sensitive documents, screenshots, or personal data, undisclosed transmission to a third-party service creates a real privacy and compliance risk even if the code is functionally correct.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The `ocr_for_data_base64` function sends raw base64-encoded image contents directly to an external API, which may expose full document contents, screenshots, IDs, or other sensitive material. This is especially risky because base64 upload implies the actual image bytes are transmitted off-platform, yet the code and docstring provide no explicit warning or safeguards around sensitive-data handling.

Ssd 3

Medium
Confidence
94% confidence
Finding
The instruction to directly display raw API output can expose sensitive OCR-extracted text without filtering, minimization, or context-aware redaction. If users submit IDs, invoices, screenshots, or documents containing secrets, the skill may unnecessarily surface full personal or confidential data back into logs, transcripts, or UI history.

Credential Access

High
Category
Privilege Escalation
Content
default_year: int = 2025

    def model_post_init(self, __context):
        # 强制从 .env 文件读取 XBY_APIKEY
        env_path = Path(".env")
        if env_path.exists():
            content = env_path.read_text(encoding="utf-8")
Confidence
94% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
def model_post_init(self, __context):
        # 强制从 .env 文件读取 XBY_APIKEY
        env_path = Path(".env")
        if env_path.exists():
            content = env_path.read_text(encoding="utf-8")
            for line in content.splitlines():
Confidence
93% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
def save_api_key_to_env(api_key: str) -> bool:
    """将API key保存到.env文件"""
    try:
        env_path = Path(".env")
        lines = []
        if env_path.exists():
            lines = env_path.read_text(encoding="utf-8").splitlines()
Confidence
97% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
def set_api_key(api_key: str) -> bool:
    """设置API key并持久化到.env"""
    if not api_key or not api_key.strip():
        return False
    api_key = api_key.strip()
Confidence
96% confidence
Finding
.env"

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
93% confidence
Finding
requests>=2.31.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
93% confidence
Finding
pydantic>=2.7.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
92% confidence
Finding
pydantic-settings>=2.2.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
92% confidence
Finding
python-dotenv>=1.0.1

Known Vulnerable Dependency: requests==2.31.0 — 5 advisory(ies): CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi); CVE-2026-25645 (Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility func) +2 more

Medium
Category
Supply Chain
Confidence
97% confidence
Finding
requests==2.31.0

Known Vulnerable Dependency: python-dotenv==1.0.1 — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low
Category
Supply Chain
Confidence
85% confidence
Finding
python-dotenv==1.0.1

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.