Back to skill

Security audit

AI Copyright Skill

Security checks across malware telemetry and agentic risk

Overview

This patent-drafting skill appears legitimate, but it needs Review because it may automatically create local legal/IP documents and intermediate files from sensitive project material without clear enough user control.

Install only if you specifically want Chinese patent-style drafting help. Before using it, confirm where files will be written, whether temporary/progress files are retained, and whether you can delete intermediates. Do not provide confidential invention details unless you are comfortable storing them locally, and have a qualified patent professional review any generated claims or CNIPA-format documents.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger list includes very broad phrases like 'patent', 'claims', 'specification', and 'disclosure', which can match ordinary user conversations and cause the skill to activate unexpectedly. In a skill that can generate legal-style outputs and later auto-produce files, overbroad activation increases the risk of unintended workflow entry, surprise data processing, and accidental document generation from unrelated content.

Vague Triggers

Low
Confidence
82% confidence
Finding
The statement that modified existing output should 'enter iterative correction flow directly' is underspecified and may cause the agent to bypass normal intake, confirmation, or safety gates. That creates a control-flow ambiguity where small edits or pasted text could trigger a stateful editing mode without revalidating scope, destination path, or whether file-writing actions remain appropriate.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill describes automatic creation of .docx, .pptx, temporary scripts, progress files, and output directories without a clear upfront warning or explicit user consent for filesystem writes. In an agent environment, silent write behavior can lead to unintended persistence of sensitive source code, inventor data, or derived legal documents, especially because this skill processes proprietary AI project materials.

Natural-Language Policy Violations

Medium
Confidence
78% confidence
Finding
The skill is framed around generating Chinese patent applications and CNIPA-format deliverables without clearly establishing this as a user-selected jurisdictional choice. That can mislead users into producing region-specific legal documents that are inappropriate for their needs, creating compliance, quality, and legal-process risks rather than a classic exploit path.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.