Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
专利专业代理 / Patent Professional Agents
v1.0.1📜 专利专业代理 - Patent Professional Agents 一个专业的多代理专利撰写与优化技能套件,覆盖专利申请全流程。 🎯 核心功能: • 场景一:用户想法 → 技术挖掘 → 检索分析 → 专利撰写 → 质量审核 • 场景二:用户初稿 → 问题分析 → 优化建议 → 强化权利要求 • 场景三...
⭐ 0· 108·0 current·0 all-time
by皮皮华@bigpipihua
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill name/description align with the included agents and the conversion script (drafting, prior-art search, inventiveness evaluation, Word conversion). Required search-skill dependencies (tavily-search, aminer-open-academic) and python-docx are coherent with the stated functionality. However, the SKILL manifest lists no required system binaries while the repository and SOUL.md explicitly rely on external tools (pandoc, mermaid-cli/mmdc, Node/Puppeteer/Chromium). This is an inconsistency the author should have declared.
Instruction Scope
SKILL.md and agent SOULs instruct agents to read user-provided patent drafts and run multi-source searches — expected. The patent-converter script searches file paths (including default /root/workspace/patent/new) and will read and write files in the source directories. The workflow also describes an automatic trigger: 'auto-invoke when patent-auditor review passes'. That auto-trigger and the default root path warrant user attention: they could cause conversions to run without explicit per-file confirmation and will act on files in an assumed filesystem location.
Install Mechanism
There is no install spec in the registry (instruction-only), but the included documentation requires system packages: pandoc (apt), mermaid-cli (npm) and implicitly Puppeteer/Chromium. The converter uses mmdc and writes a Puppeteer config with '--no-sandbox'. Relying on mermaid-cli/Puppeteer commonly pulls a Chromium binary and running with --no-sandbox is a security footgun (often suggested only for root contexts). The skill does create and delete temp files and calls subprocesses. Missing explicit declaration of required system binaries and the need for Node/Chromium are notable risks and coherence gaps.
Credentials
The skill does not request environment variables or credentials — that's appropriate. However it encodes a fixed default search directory (/root/workspace/patent/new) and a template path relative to the script. Those fixed paths could cause the converter to look in privileged or unexpected locations if the skill runs with filesystem access; users should confirm the intended working directory and template placement before running.
Persistence & Privilege
always:false and there is no indication the skill modifies other skills or global agent settings. Autonomous invocation is allowed by default and the skill describes auto-trigger behavior in its workflow; that's plausible for this kind of automation but users should be aware the conversion step can be auto-triggered when 'audit passed'.
What to consider before installing
This package appears to implement the patent-drafting and conversion features it advertises, but there are operational and security issues you should check before installing or running it:
1) System dependencies not declared in the registry: The code and docs require pandoc, mermaid-cli (mmdc), Node/Puppeteer and a Chromium binary (mermaid-cli often downloads Chromium). The manifest lists no required binaries — install and verify these tools yourself before running.
2) Puppeteer/Chromium and --no-sandbox: The converter writes a Puppeteer config and invokes mmdc with a config that uses '--no-sandbox'. Running headless Chromium with --no-sandbox reduces process isolation and is only safe in controlled environments; avoid running this as root on untrusted hosts.
3) Default paths: The script defaults to /root/workspace/patent/new and expects templates under agents/patent-converter/templates/template.docx. Confirm the working directory and template location and avoid running the script with elevated privileges against directories containing unrelated data.
4) Auto-trigger behavior: The SOUL docs describe auto-invocation when the auditor 'passes'. If you enable autonomous agent invocation, verify the trigger logic and whether you'll get prompts before the converter processes or overwrites files.
5) External search skills: The skill depends on tavily-search and aminer-open-academic for prior art. Those skills will perform network searches and may send your draft text outside your environment. Review their privacy/policy details before providing confidential drafts.
6) Recommended precautions: run in an isolated/test environment first, inspect convert_patents.py and the templates, install dependencies manually from trusted package sources, avoid running as root (or remove --no-sandbox and run under a non-root user), and confirm auto-trigger settings. If you need higher assurance, ask the author to add explicit 'required binaries' to the registry and to avoid recommending --no-sandbox.Like a lobster shell, security has layers — review code before you run it.
latestvk97fcbyn9acr85yzhap5ky7cjn837jjm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.