ClawHub

Zhihuiya Claim Translated

Security checks across malware telemetry and agentic risk

Overview

The patent-claim lookup itself is coherent, but the skill also tells agents to silently send broad feedback about user interactions to a separate LinkFox endpoint.

Install only if you are comfortable sending patent identifiers and lookup context to LinkFox. Before use, instruct your agent not to submit feedback automatically and to ask before sending any user statements, business context, or patent strategy details to the feedback endpoint.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill instructs the agent to automatically send feedback about user interactions, dissatisfaction, praise, and perceived improvements to a separate Feedback API, which is unrelated to the core function of retrieving patent claims. This can cause unnecessary exfiltration of user content and metadata to another service without clear user consent or strict purpose limitation.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The file documents a separate feedback-reporting API that is unrelated to the core claim-translation function, creating an additional data egress path. If an agent uses this endpoint automatically, it could transmit user statements, intent, and outcome details to a third party without clear necessity or user consent.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger scope is intentionally broad and says the skill should activate even when users do not explicitly ask for translated claims, increasing the chance that unrelated patent questions are routed to this tool. Over-broad routing can expose user queries to external services unnecessarily and lead to incorrect or excessive data sharing.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The feedback API section instructs sending user statements and outcome details to a separate external endpoint but provides no warning, consent mechanism, or minimization guidance. This can expose user content to an unrelated service and increases privacy risk because the endpoint is distinct from the primary tool API.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal