ClawHub

TencentCloud VehicleLicense OCR

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Tencent Cloud vehicle-license OCR helper, but it processes sensitive vehicle-document data through a third-party cloud service.

Install only if you are authorized to process the vehicle-license images and are comfortable sending them to Tencent Cloud OCR. Use dedicated Tencent Cloud credentials with appropriate billing and permission controls, avoid third-party documents without consent, and consider reviewing or pinning the SDK dependency in your environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger conditions include a broad catch-all statement covering essentially any vehicle-license OCR scenario, which can cause the skill to be invoked outside narrowly intended contexts. Because this skill sends highly sensitive identity and vehicle document data to an external cloud OCR service, overly broad invocation increases the risk of unintended data transfer and privacy-impacting misuse.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill handles vehicle license images and extracted fields such as owner name, address, plate number, VIN, and engine number, but it does not warn users that this sensitive personal information will be transmitted to Tencent Cloud for processing. In this context, the omission is especially dangerous because the document contains regulated identity/vehicle data, and users may unknowingly expose highly sensitive information to a third party without informed consent.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script transmits vehicle-license images and extracted identity/vehicle data to Tencent Cloud OCR, which is a third-party remote service handling highly sensitive personal information. While this is the intended function of the skill, there is no explicit user-facing consent, privacy notice, or transmission warning in the tool behavior, so users may unknowingly send regulated personal data off-box.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal