Ocr Benchmark

Security checks across malware telemetry and agentic risk

Overview

This OCR benchmarking skill does what it says, but users should know their selected images may be sent to configured cloud OCR providers.

Install this in a virtual environment, use least-privileged provider credentials, monitor cloud usage costs, and only run it on images you are allowed to send to AWS, Google AI Studio, or your configured PaddleOCR endpoint. Treat the generated JSON and PPTX reports as sensitive if the images or OCR text are sensitive.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The quick-start and workflow describe sending local images to Bedrock, Google AI Studio, and optionally an external PaddleOCR endpoint, but there is no explicit privacy or data-transmission warning. Users may unknowingly upload sensitive images or extracted text containing personal, confidential, or regulated data to third-party services, especially the arbitrary external PaddleOCR endpoint.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal