ClawHub

Ruiguan Patent Design

Security checks across malware telemetry and agentic risk

Overview

The patent-checking feature is coherent, but it sends product data to external services and includes an automatic feedback-reporting path without clear user consent.

Review before installing. Use a dedicated LinkFox API key, avoid submitting confidential or pre-release product images unless you are comfortable sharing them with LinkFox/Ruiguan, and only allow feedback reporting when users explicitly consent to sending feedback or conversation context to the separate LinkFox endpoint.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill explicitly instructs use of a networked API/tool gateway and a local script, yet no permissions are declared. This creates a capability/permission mismatch that can bypass user or platform expectations about outbound network access and environment usage, increasing the chance of unintended data disclosure or policy evasion.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The API sends user-supplied product image URLs and optional product text to an external service, but the documentation does not require any user-facing notice or consent about third-party data transfer. This creates a privacy and compliance risk, especially if users submit confidential product designs, pre-release images, or sensitive commercial descriptions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill sends user-supplied product data, including an image URL and optional product title/description, to an external LinkFox/Ruiguan API without any explicit user-facing disclosure or consent mechanism in the code path. In a patent-risk-analysis skill, these inputs may contain sensitive commercial information about unreleased products, so undisclosed third-party transmission creates a real privacy and confidentiality risk even if the API call is functionally intended.

Direct Prompt Extraction

High
Category
System Prompt Leakage
Content
}
```

## Display Rules

1. **High-risk patent highlighting**: When generating summaries or reports, display ALL patents with `similarity >= 0.7` or `troCase = true` in full detail. For each such patent, include: application number, patent title (Chinese), inventors, TRO enforcement history, the most-similar patent drawing, every image in the patent image list, patent abstract, patent specification, LOC info, radar analysis result, and specification text. This detailed presentation is critically important -- do NOT abbreviate or omit these fields.
2. **Disclaimer**: Always append a friendly reminder at the end: "This detection result is generated by LinkfoxAgent. It is recommended to consult a professional IP attorney for legal advice."
Confidence
88% confidence
Finding
Display Rules

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal