ClawHub

Hutian Opc Patent Search

Security checks across malware telemetry and agentic risk

Overview

This is a mostly disclosed IP-search and filing-assistance skill, but it may lead users to share sensitive identity, company, source-code, and legal materials without clear privacy safeguards.

Use this only as an advisory reference for IP search and filing preparation. Do not upload raw ID cards, business licenses, signatures, authorization letters, confidential source code, or trade-secret materials unless you have a secure, approved workflow; redact nonessential identifiers and verify filing requirements with official sources or a qualified professional.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Description-Behavior Mismatch

High
Confidence
92% confidence
Finding
The skill is described as a novelty/patent search tool, but the guide materially expands into trademark registrability, copyright registration, and software-copyright application compliance. This scope creep is dangerous because users may rely on the skill for regulated legal/compliance workflows it is not scoped, validated, or authorized to handle, increasing the chance of harmful advice, unauthorized practice concerns, and collection/processing of sensitive application materials.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The document presents itself as a search skill but includes detailed application-preparation instructions, rejection-avoidance tactics, document checklists, and compliance steps. This mismatch can mislead users and downstream orchestrators about the agent's permitted actions, causing the system to perform higher-risk legal/compliance assistance than intended and potentially solicit sensitive personal or corporate documents.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The file embeds a long software-copyright registration manual inside a skill advertised for novelty search and patent retrieval, creating a capability/context mismatch. This can mislead downstream agents or users into performing unrelated legal/compliance workflows, increasing the chance of unsafe automation, hallucinated authority, and accidental collection or handling of sensitive identity and registration materials outside the skill’s stated purpose.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document explicitly says it is a copyright-registration reference for the novelty-search skill, contradicting the declared purpose of patent retrieval and novelty verification. This kind of internal contradiction is dangerous because agents often trust bundled references as authoritative, so the mismatch can silently expand behavior beyond approved scope and cause users to rely on unvetted legal/process guidance.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill instructs intake and processing of highly sensitive identity and company documents such as ID cards, business licenses, and authorization materials, but does not define confidentiality controls, minimization, masking, retention limits, or disclosure boundaries. In an AI skill context, this can lead to unnecessary collection, overexposure in prompts/outputs, and accidental leakage of regulated personal or corporate data.

Ssd 3

Medium
Confidence
96% confidence
Finding
The checklist encourages users to submit sensitive identity materials and supporting legal documents as routine application inputs without any mention of sanitization, secure storage, access control, or output redaction. Because checklists operationalize behavior, this increases the likelihood that users will provide raw PII and company documents into an unsafe processing path.

Ssd 3

Medium
Confidence
94% confidence
Finding
The application-material guidance broadly requests sensitive applicant documents but omits confidentiality boundaries and secure-handling instructions. In a skill that may be used by non-expert users, this creates a realistic risk of oversharing regulated documents and having them propagated into logs, model context, or generated reports.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal