ClawHub

TencentCloud RecognizeTable OCR

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Tencent Cloud table OCR helper, with privacy and file-output considerations users should understand before using it on sensitive documents.

Install only if you are comfortable sending the selected table image/PDF or URL to Tencent Cloud for OCR. Use a least-privileged Tencent Cloud OCR key, avoid processing confidential documents without approval, and choose --save-excel paths carefully because generated spreadsheets may contain sensitive extracted data and can overwrite an existing file.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill documentation indicates use of environment variables for cloud credentials (`TENCENTCLOUD_SECRET_ID` and `TENCENTCLOUD_SECRET_KEY`) but does not declare corresponding permissions. This creates a transparency and least-privilege problem: an agent may access sensitive secrets without clear user-facing disclosure or permission gating.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The trigger conditions are written broadly enough that the skill may activate for any table-extraction request, including cases involving sensitive documents, without an explicit consent or sensitivity check. Over-broad invocation increases the chance of unintended transmission of private document content to a third-party OCR service.

Missing User Warnings

High
Confidence
85% confidence
Finding
The documentation states that recognition results can be exported as Excel data, but does not warn that this may create or overwrite a local file when the save option is used. Without clear notice, users may unintentionally persist sensitive extracted data on disk, increasing exposure through local storage, backup, or sharing mechanisms.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The documentation states that recognition results can be exported as Excel data, but does not warn that this may create or overwrite a local file when the save option is used. Without clear notice, users may unintentionally persist sensitive extracted data on disk, increasing exposure through local storage, backup, or sharing mechanisms.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal