ClawHub

TencentCloud QuestionMark OCR

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises: it submits user-provided exam images or PDFs to Tencent Cloud for OCR-based grading, with privacy care needed for student materials.

Install only if you are allowed to send the relevant exam images, PDFs, handwriting, answers, and reference answers to Tencent Cloud. Use scoped Tencent Cloud credentials, keep the secret key out of chats, logs, and repositories, and redact student personal information where possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger condition includes a broad catch-all description such as handling 'any scenario involving exam segmentation or question analysis,' which can cause the skill to activate in situations the user did not intend. Over-broad routing is risky here because the skill transmits user-supplied images/PDFs to a cloud OCR service, potentially sending educational or personal data externally without sufficiently specific user intent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill processes uploaded exam images/PDFs and sends them to Tencent Cloud OCR, but the documentation does not provide a user-facing privacy and data-transfer notice. Because these materials may contain student handwriting, names, school information, and answer content, the lack of disclosure and consent controls can lead to privacy violations, regulatory issues, or unintended third-party sharing of sensitive educational data.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script submits exam images/PDFs, handwritten answers, and optional reference-answer/grading metadata to a third-party cloud OCR/grading service without any explicit notice, consent check, or privacy guardrails. In an education context this data can contain student PII and sensitive educational records, so silent transmission increases compliance and privacy risk even if the transfer is functionally intended.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal