pdf-ocr

Security checks across malware telemetry and agentic risk

Overview

This OCR skill does what it says, but it can install packages during use and may send document images to a cloud OCR service without a clear consent boundary.

Review before installing. Use local OCR only for confidential PDFs or images, keep OCR_ENGINE=rapid, and avoid configuring a SiliconFlow API key unless remote processing is approved. Require the agent to ask before installing packages or using/falling back to cloud OCR, and prefer a locked environment with pinned dependencies.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import

Findings (20)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: """自动安装缺失的依赖""" print(f"正在安装依赖: {package}") try: subprocess.check_call([sys.executable, "-m", "pip", "install", package]) print(f"依赖 {package} 安装成功") return True except subprocess.CalledProcessError as e:
Confidence: 97% confidence
Finding: subprocess.check_call([sys.executable, "-m", "pip", "install", package])

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The skill can install Python packages during execution, which is not necessary for ordinary OCR behavior and materially changes the trust boundary of the tool. This enables unreviewed code retrieval and execution from package repositories, turning a document-processing skill into one capable of arbitrary environment modification and supply-chain exposure.

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: If RapidOCR initialization fails, the processor silently switches to the SiliconFlow cloud API, causing document images to be transmitted externally without explicit user consent at the point of use. In an OCR skill, this is particularly risky because inputs often contain sensitive PDFs, scans, IDs, contracts, or internal records.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The implementation sends OCR image content to an external API, but the skill description only advertises PDF/image text extraction and does not disclose remote data transfer. This omission can mislead users into processing sensitive documents under the assumption that handling is local-only.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The cloud-engine trigger phrases are broad enough that ordinary requests like '高精度识别这个文档' or '处理复杂的扫描件' could select the remote OCR path without the user clearly realizing their file contents will be sent to a third-party API. In an AI-IDE skill context, prompt-based engine switching increases the chance of unintended off-device data transfer, especially for sensitive PDFs such as contracts or IDs.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The README promotes a cloud OCR API but does not prominently warn that uploaded PDFs/images and their extracted text may be transmitted to and processed by an external service. This creates a material privacy and data-handling risk because users may submit confidential documents under the mistaken assumption that OCR is local, especially since the skill also advertises a local engine and automatic engine switching.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger phrases for engine selection are broad natural-language requests such as '高精度识别这个文档' or '快速识别这个文档', which can easily appear in ordinary conversation. This can cause unintended activation of the cloud OCR path or other behaviors without sufficiently explicit user intent, especially where external transmission of document data is involved.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The documentation mentions a cloud OCR engine but does not prominently and explicitly warn that document images/pages will be transmitted to an external API for processing. In an OCR skill, users are likely to handle contracts, IDs, reports, and other sensitive scans, so insufficient disclosure materially raises privacy and data-handling risk.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The call site performs external transmission of PDF/image-derived data to a cloud OCR API without an explicit warning or confirmation. Because OCR content frequently includes confidential information, lack of an in-context notice increases the risk of accidental sensitive data exfiltration.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The guide says the skill can be used via broad natural-language requests but does not define clear triggering boundaries, supported inputs, or exclusion conditions. In agent environments, overly broad invocation language can cause the skill to run on unintended files or requests, increasing the chance of accidental data processing or misuse.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The documentation instructs users to configure a third-party API key for Silicon Flow OCR but does not clearly disclose that document or image contents will be transmitted to an external service for processing. Because this skill handles PDFs and images that may contain sensitive data, the omission creates a significant privacy and compliance risk by preventing informed consent and safe handling decisions.

Unpinned Dependencies

Low

Category: Supply Chain
Content: # PDF OCR Skill Requirements # PDF处理 pymupdf>=1.23.0 # 图片处理 pillow>=9.0.0
Confidence: 94% confidence
Finding: pymupdf>=1.23.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: pymupdf>=1.23.0 # 图片处理 pillow>=9.0.0 # HTTP请求 requests>=2.28.0
Confidence: 96% confidence
Finding: pillow>=9.0.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: pillow>=9.0.0 # HTTP请求 requests>=2.28.0 # 环境变量管理 python-dotenv>=1.0.0
Confidence: 95% confidence
Finding: requests>=2.28.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: requests>=2.28.0 # 环境变量管理 python-dotenv>=1.0.0 # 本地OCR引擎（可选，推荐安装以获得更好的识别效果） rapidocr_onnxruntime>=1.3.0
Confidence: 91% confidence
Finding: python-dotenv>=1.0.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: python-dotenv>=1.0.0 # 本地OCR引擎（可选，推荐安装以获得更好的识别效果） rapidocr_onnxruntime>=1.3.0
Confidence: 90% confidence
Finding: rapidocr_onnxruntime>=1.3.0

Known Vulnerable Dependency: pymupdf — 1 advisory(ies): CVE-2026-3029 (PyMuPDF has a path traversal in _main_.py)

Low

Category: Supply Chain
Confidence: 80% confidence
Finding: pymupdf

Known Vulnerable Dependency: pillow — 10 advisory(ies): CVE-2016-2533 (Pillow buffer overflow in ImagingPcdDecode); CVE-2023-50447 (Arbitrary Code Execution in Pillow); CVE-2021-27922 (Pillow Uncontrolled Resource Consumption) +7 more

Critical

Category: Supply Chain
Confidence: 97% confidence
Finding: pillow

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High

Category: Supply Chain
Confidence: 94% confidence
Finding: requests

Known Vulnerable Dependency: python-dotenv — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low

Category: Supply Chain
Confidence: 72% confidence
Finding: python-dotenv

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal