ClawHub

TencentCloud LicensePlate OCR

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it sends user-selected vehicle images or image URLs to Tencent Cloud OCR to recognize license plates.

Install only if you are comfortable sending vehicle images or image URLs to Tencent Cloud for OCR. Use a least-privilege Tencent Cloud key, monitor quota and billing, and avoid submitting plate images you are not authorized to process.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger conditions are very broad, including phrases like any plate OCR-related scenario, which can cause the skill to activate in ambiguous contexts. Over-triggering is dangerous here because the skill sends user-provided images and extracted plate data to a third-party cloud API, potentially without sufficiently specific user intent.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill description does not clearly disclose that uploaded images and license plate data will be transmitted to Tencent Cloud for processing. License plates are sensitive identifiers, and undisclosed third-party transmission can violate user expectations, privacy requirements, and data-handling policies.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script transmits user-supplied image content or URLs to Tencent Cloud's external OCR service, but it does not present any explicit notice or consent prompt at the point of use. This can expose sensitive personal data, including license plate information and possibly image metadata, creating a privacy and data-handling risk if users are unaware that their content leaves the local environment.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal