ClawHub

TencentCloud ExtractDoc OCR

Security checks across malware telemetry and agentic risk

Overview

This skill is a Tencent Cloud OCR helper that sends user-selected documents or URLs to Tencent Cloud for extraction, with no hidden persistence, destructive behavior, or unrelated access found.

Install only if you are comfortable sending selected documents, document URLs, and extracted OCR results through Tencent Cloud OCR. Use a least-privilege Tencent Cloud key, review Tencent Cloud billing and data-handling requirements for sensitive contracts, invoices, or regulated documents, and consider pinning the SDK version in controlled environments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger conditions include a catch-all description such as handling 'any scene involving document structured extraction,' which is broad enough to cause accidental invocation outside the user's intended scope. Over-broad routing can send sensitive documents to this skill and onward to Tencent Cloud OCR when a narrower or local alternative would have been more appropriate.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill description does not clearly warn that uploaded document contents will be transmitted to Tencent Cloud's OCR service for processing. Because this skill is designed for contracts, invoices, and reports, users may unknowingly send highly sensitive business or personal data to a third party without informed consent, creating privacy, compliance, and data-governance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documented ImageUrl input mode can cause the system to fetch remote content and transmit it to Tencent Cloud, but the skill does not warn users about external network access or third-party data transfer. This increases the risk of unintentionally processing confidential documents from remote URLs and can also expose internal or private URLs if users provide them without understanding the consequences.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script transmits user-supplied document contents, either by URL or Base64/file input, to Tencent Cloud's remote OCR service but does not present an explicit warning or consent checkpoint about external data transfer. In a skill context that may process contracts, invoices, and reports, this can expose sensitive or regulated data to a third party without the user's clear awareness, creating a real privacy and compliance risk even though the network transmission is the skill's intended function.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal