Back to skill

Security audit

中国专利.Skill

Security checks across malware telemetry and agentic risk

Overview

The skill is purpose-aligned for patent drafting, but it needs Review because it combines broad project scanning, external searches, automatic persistent outputs/logs, and risky document/rendering dependencies.

Install only in a workspace where patent materials may be read and persisted. Before use, pin or update dependencies, avoid processing untrusted Office files, confirm the exact project path and output directory, and remember that prior-art search sends derived technical search terms to external patent/search services.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (17)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
*extra,
            ]
            cmd = " ".join(shlex.quote(p) for p in parts)
            r = subprocess.run(
                cmd,
                shell=True,
                capture_output=True,
Confidence
97% confidence
Finding
r = subprocess.run( cmd, shell=True, capture_output=True, text=True, timeout=180, )

Tainted flow: 'out_path' from os.environ.get (line 258, credential/environment) → pathlib.Path.write_text (file write)

Medium
Category
Data Flow
Content
os.environ.get("EPUB_RESULT_HTML", "").strip() or default_result_html_path()
    )
    out_path = out_path.expanduser().resolve()
    out_path.write_text(out_html, encoding="utf-8")
    print(
        "结果页长度",
        len(out_html),
Confidence
91% confidence
Finding
out_path.write_text(out_html, encoding="utf-8")

Vague Triggers

Medium
Confidence
88% confidence
Finding
The README advertises broad natural-language triggers such as patent mining, disclosure drafting, and prior-art search, which can overlap with ordinary user requests and cause the skill to activate unintentionally. In a skill that scans project documents, generates files, and may perform external searches, overbroad invocation increases the chance of processing sensitive local data or writing outputs without sufficiently explicit user intent.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The README states that deliverables are written to local files and that iteration logs are appended, but it does not clearly warn users up front that the skill will create and modify artifacts on disk. This can lead to unintended persistence of sensitive patent materials, revision history, or derived documents in local workspaces.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The iteration mode is triggered by broad intent recognition and instructs the agent to automatically read prior drafts, merge corrections, and write new outputs without an explicit confirmation boundary. In a skill that handles sensitive project documents and patent disclosures, this can cause the agent to act on ambiguous user input, pull in unintended prior materials, or modify disclosure artifacts in ways the user did not clearly authorize.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The activation rule lets the agent decide based on broad user intent cues such as '这里不对' or '应强调XXX' without firm exclusions or confirmation gates. In a document-modifying skill, this can cause unintended entry into correction mode, leading to unauthorized edits, skipped review steps, or modification of the wrong stage of the workflow when user language is ambiguous.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The prompt explicitly asks for a technical contact's name, phone number, and email without any minimization guidance, privacy notice, retention limits, or warning not to include unnecessary personal data. In a patent-disclosure workflow, this can cause the agent to collect and propagate personally identifiable information into drafts, logs, or downstream tools without clear user consent or handling constraints.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The prompt explicitly instructs the agent to write new timestamped `.md` and `.docx` files and append a persistent revision log in the case output directory, but it does not require explicit user confirmation at the moment of modification. In an agent environment with filesystem tools, this can cause silent disk writes, unintended retention of user content, and accumulation of sensitive project history beyond what the user expected from a conversational interaction.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The prompt explicitly instructs the agent to write merged output to a new timestamped file, generate a .docx, and append a dialogue log, which are persistent data-modifying actions. Because the skill metadata/description shown to the user does not clearly disclose these side effects or require explicit confirmation before file creation and logging, users may trigger unintended writes, retention of sensitive patent content, or audit/log artifacts without informed consent.

Unvalidated Output Injection

High
Category
Output Handling
Content
*extra,
            ]
            cmd = " ".join(shlex.quote(p) for p in parts)
            r = subprocess.run(
                cmd,
                shell=True,
                capture_output=True,
Confidence
96% confidence
Finding
subprocess.run( cmd, shell=True, capture_output

Unpinned Dependencies

Low
Category
Supply Chain
Content
# 使用 tools/md_to_docx.py、docx_to_md.py、pptx_to_md.py、math_render.py 时安装
python-docx>=1.1.0
# 定稿图示(mermaid → PNG)须 Node:在 tools/ 执行 npm install 或 npx,见 tools/README.md
mammoth>=1.6.0
python-pptx>=0.6.21
Confidence
86% confidence
Finding
python-docx>=1.1.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
# 使用 tools/md_to_docx.py、docx_to_md.py、pptx_to_md.py、math_render.py 时安装
python-docx>=1.1.0
# 定稿图示(mermaid → PNG)须 Node:在 tools/ 执行 npm install 或 npx,见 tools/README.md
mammoth>=1.6.0
python-pptx>=0.6.21
matplotlib>=3.8.0
Confidence
98% confidence
Finding
mammoth>=1.6.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
python-docx>=1.1.0
# 定稿图示(mermaid → PNG)须 Node:在 tools/ 执行 npm install 或 npx,见 tools/README.md
mammoth>=1.6.0
python-pptx>=0.6.21
matplotlib>=3.8.0

# 可选:Step 5 国知局 epub.cnipa.gov.cn 抓取(Playwright,体积较大;未写入本文件以免默认全量安装)
Confidence
84% confidence
Finding
python-pptx>=0.6.21

Unpinned Dependencies

Low
Category
Supply Chain
Content
# 定稿图示(mermaid → PNG)须 Node:在 tools/ 执行 npm install 或 npx,见 tools/README.md
mammoth>=1.6.0
python-pptx>=0.6.21
matplotlib>=3.8.0

# 可选:Step 5 国知局 epub.cnipa.gov.cn 抓取(Playwright,体积较大;未写入本文件以免默认全量安装)
#   pip install -r tools/requirements-cnipa.txt && python -m playwright install chromium
Confidence
82% confidence
Finding
matplotlib>=3.8.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
# 国知局公布公告站检索(tools/cnipa_epub_search.py / cnipa_epub_crawler.py)依赖;与仓库根目录 requirements.txt 独立
playwright>=1.40.0
Confidence
92% confidence
Finding
playwright>=1.40.0

Known Vulnerable Dependency: mammoth==1.6.0 — 2 advisory(ies): CVE-2025-11849 (Mammoth is vulnerable to Directory Traversal); CVE-2025-11849 (Mammoth is vulnerable to Directory Traversal)

Critical
Category
Supply Chain
Confidence
99% confidence
Finding
mammoth==1.6.0

Tool Parameter Abuse

High
Category
Tool Misuse
Content
*extra,
            ]
            cmd = " ".join(shlex.quote(p) for p in parts)
            r = subprocess.run(
                cmd,
                shell=True,
                capture_output=True,
Confidence
95% confidence
Finding
subprocess.run( cmd, shell=True

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.