Back to skill

Security audit

文本识别OCR(增强版)

Security checks across malware telemetry and agentic risk

Overview

This appears to be a remote OCR wrapper, with real privacy and key-storage caveats but no artifact-backed malicious behavior.

Install only if you are comfortable using XiaoBenYang as the OCR provider. Do not submit private IDs, financial records, medical documents, internal screenshots, or other sensitive images unless that provider is approved for your data, and remember that the API key is saved in a local .env file.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (18)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documentation describes capabilities that imply environment access, file read/write, and outbound network use, but it does not declare or surface those permissions to the user. This creates a transparency and consent gap: the skill can request API keys, persist them, and send image content to an external service without an explicit permission model being documented.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file is for an OCR skill, but the configuration clearly targets an unrelated 'gaokao' service and API-key workflow. This kind of capability mismatch is dangerous because it can hide undeclared external-service access and secret-handling behavior that users would not reasonably expect from an OCR-only skill.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code persists API credentials into a local .env file even though the stated skill purpose is image text recognition. Storing secrets on disk increases exposure through source control leaks, backup collection, local file disclosure, and accidental reuse by unrelated components.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The docstring identifies the code as a '小笨羊高考Skill配置', which directly contradicts the OCR skill metadata. This inconsistency strongly suggests code reuse or repackaging from another skill, making hidden or unrelated network and credential behavior more suspicious and harder to audit safely.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to provide image URLs or base64 image data to an external OCR API but does not warn that image contents may include sensitive personal, financial, or confidential information. Users may unknowingly transmit sensitive screenshots or documents to a third-party processor without informed consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The function writes the provided API key to .env automatically with no user-facing warning or confirmation. Silent credential persistence can surprise users, create long-lived secrets on disk, and increase the chance of accidental disclosure through local access or repository commits.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The function forwards a user-supplied image URL to an external OCR API, which means image contents and possibly metadata are transmitted off-platform. In an OCR skill, users may submit sensitive documents, screenshots, or IDs, so the lack of an explicit disclosure or consent mechanism creates a real privacy and data-exposure risk even though the code appears intended for legitimate OCR use.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This function sends raw base64-encoded image content directly to an external API, so the full underlying document or screenshot leaves the local environment. Because base64 input commonly contains complete sensitive files rather than public URLs, the privacy risk is more pronounced if users provide IDs, financial records, medical documents, or internal screenshots without being clearly warned.

Ssd 3

Medium
Confidence
94% confidence
Finding
The instruction to present upstream 'raw' OCR/API output directly to the user bypasses any filtering, minimization, or redaction step. Raw OCR responses can contain sensitive text extracted from uploaded documents, metadata, confidence details, or unexpected provider-returned content that should be sanitized before display.

Credential Access

High
Category
Privilege Escalation
Content
default_year: int = 2025

    def model_post_init(self, __context):
        # 强制从 .env 文件读取 XBY_APIKEY
        env_path = Path(".env")
        if env_path.exists():
            content = env_path.read_text(encoding="utf-8")
Confidence
90% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
def save_api_key_to_env(api_key: str) -> bool:
    """将API key保存到.env文件"""
    try:
        env_path = Path(".env")
        lines = []
        if env_path.exists():
            lines = env_path.read_text(encoding="utf-8").splitlines()
Confidence
93% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
def set_api_key(api_key: str) -> bool:
    """设置API key并持久化到.env"""
    if not api_key or not api_key.strip():
        return False
    api_key = api_key.strip()
Confidence
91% confidence
Finding
.env"

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
93% confidence
Finding
requests>=2.31.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
93% confidence
Finding
pydantic>=2.7.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
92% confidence
Finding
pydantic-settings>=2.2.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
pydantic>=2.7.0
pydantic-settings>=2.2.0
python-dotenv>=1.0.1
Confidence
93% confidence
Finding
python-dotenv>=1.0.1

Known Vulnerable Dependency: requests==2.31.0 — 5 advisory(ies): CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi); CVE-2026-25645 (Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility func) +2 more

Medium
Category
Supply Chain
Confidence
96% confidence
Finding
requests==2.31.0

Known Vulnerable Dependency: python-dotenv==1.0.1 — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low
Category
Supply Chain
Confidence
79% confidence
Finding
python-dotenv==1.0.1

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.