Google Patents

Security checks across malware telemetry and agentic risk

Overview

The skill mostly performs the advertised patent-search workflow, but it silently includes a built-in SerpApi key and can save PDFs to caller-chosen file paths.

Review before installing. Use your own SERPAPI_API_KEY, assume searches and patent IDs are sent to SerpApi, avoid confidential product or legal research terms unless approved, and choose PDF output paths carefully. The publisher should remove the bundled key and fail closed when no user-provided key is configured.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 87% confidence
Finding: The skill exposes shell and network capabilities but does not declare permissions, which weakens reviewability and can cause operators or users to underestimate what the skill can do. In this context, the skill sends data to an external service and can write files indirectly via shell commands, so the missing declaration increases the chance of unsafe use or over-privileged execution.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The documented behavior understates important security-relevant actions: the skill downloads PDFs to local storage and routes queries through SerpApi rather than directly to Google Patents, while static analysis also indicates a default embedded API key in code. That mismatch can mislead users about data flows, credential handling, and file-system side effects, creating real risk of credential leakage, privacy exposure of patent research queries, and unsafe file writes.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The pdf command downloads remote content and writes it to an arbitrary local path supplied as the second argument, which exceeds a read/search-oriented skill boundary and introduces filesystem side effects. This can overwrite files in the current user's writable paths or persist untrusted content locally without strong validation, consent, or sandboxing.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The script embeds a fallback SerpAPI key directly in code, meaning anyone with access to the skill can use the credential for outbound requests. Hardcoded secrets are routinely leaked, abused for unauthorized API consumption, and make revocation/rotation difficult; they also create undisclosed external access even when no environment variable is configured.

Missing User Warnings

Low

Confidence: 81% confidence
Finding: The skill documents a PDF download command that writes to a user-specified path without warning about overwrite risk or unsafe paths. In a shell-based workflow, this can lead to accidental clobbering of existing files or writing into unintended locations, especially if the output path is derived from untrusted input.

Missing User Warnings

Low

Confidence: 78% confidence
Finding: The documentation notes that an API key is required but does not warn that user queries are sent to SerpApi, which may expose sensitive patent research, competitive analysis, or product plans to a third party. Although this is primarily a transparency and privacy issue, the skill context makes it meaningful because FTO and infringement searches can contain confidential business intent.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script silently performs outbound requests to SerpAPI using a built-in default key, without any user-facing disclosure that patent queries and identifiers will be sent to a third party. In a research skill handling potentially sensitive IP or FTO analysis, this can leak confidential search intent, target assignees, and patent IDs outside the local environment.

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The PDF download path causes a local file write but the script does not clearly warn users in help text or inline that invoking this operation persists remote content to disk. While lower severity than the hardcoded key issue, the missing disclosure increases the risk of unexpected side effects and accidental storage of untrusted or sensitive documents.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal