ClawHub

TencentCloud BizLicense OCR

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Tencent Cloud business-license OCR helper that uses your Tencent credentials and sends the selected document image or URL to Tencent for recognition.

Install only if you are comfortable using Tencent Cloud credentials and submitting the chosen business license images or URLs to Tencent Cloud OCR. Use a dedicated least-privilege Tencent key, protect the environment variables, avoid processing documents without authorization, and review Tencent Cloud data-handling terms for sensitive business records.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill requires access to sensitive environment variables containing Tencent Cloud API credentials, but it does not declare permissions or clearly surface that capability. This creates a transparency and governance gap: users or orchestrators may invoke a skill that can access secrets without explicit review, increasing the risk of unintended credential exposure or misuse.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger conditions include a broad catch-all for essentially any business-license OCR scenario, which can cause the skill to activate in contexts where users did not clearly consent to sending images or extracted business data to Tencent Cloud. Because the skill processes potentially sensitive identity and corporate registration documents, overbroad routing increases the chance of accidental data transfer to a third party.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description explains capabilities but omits a clear warning that uploaded images or URLs containing business-license data will be transmitted to a third-party cloud OCR provider. Business licenses contain sensitive company and personal information, so failing to disclose this transmission undermines informed consent and can lead to privacy, compliance, and data-handling risks.

VirusTotal

52/52 vendors flagged this skill as clean.

View on VirusTotal