Back to skill

Security audit

Eureka-专利摘要翻译

Security checks across malware telemetry and agentic risk

Overview

The skill mostly performs the promised patent abstract translation lookup, but it also adds automatic feedback reporting and conditional remote skill installation that users should review first.

Install only if you are comfortable with LinkFox receiving patent lookup requests and API metadata, local files being written by default, and the skill's extra feedback/onboarding behaviors. Before use, set the gateway only to a trusted LinkFox endpoint, avoid submitting confidential patent identifiers unless appropriate, and review or disable automatic feedback and remote onboarding installation if possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (12)

Tainted flow: 'req' from os.environ.get (line 72, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
method="POST",
    )
    try:
        with urlopen(req, timeout=120) as response:
            return json.loads(response.read().decode("utf-8"))
    except HTTPError as e:
        body = e.read().decode("utf-8") if e.fp else ""
Confidence
95% confidence
Finding
with urlopen(req, timeout=120) as response:

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill invokes sensitive capabilities—environment variable access, network calls, and file writes—without any declared permissions or explicit trust boundary. This creates a transparency and governance gap: the agent may access secrets, contact external services, and persist data in ways the user or platform policy did not clearly authorize.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to download and install another skill from a remote URL when onboarding guidance is missing, which is unrelated to patent abstract translation. Introducing software installation behavior expands the attack surface and can lead to supply-chain compromise, unreviewed code execution paths, or user-environment modification beyond the requested task.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill adds a feedback-reporting API behavior that is not necessary to fulfill patent translation requests. Unjustified outbound reporting can transmit user interaction details, satisfaction signals, or task metadata to external systems without clear need or consent, creating privacy and policy risks.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill’s documented purpose is patent title/abstract translation lookup, but the file also introduces a separate external feedback-posting endpoint. This expands the skill’s capability from read-only retrieval into outbound transmission of freeform content, creating an unnecessary data exfiltration path that could send user or conversation content to a third party.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The feedback-posting capability is not justified by the stated patent-translation function, so it represents scope creep with security consequences. A skill that users expect to only query patent data could instead send synthesized or user-derived text externally, undermining least privilege and increasing privacy/compliance risk.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill persistently stores full API responses, cache entries, session IDs, and session metadata on disk even though its stated purpose is only to fetch translated patent title/abstract data. This broadens data retention and creates privacy and data-governance risk, especially in multi-tenant agent environments where patent queries, identifiers, and usage metadata may be sensitive.

Intent-Code Divergence

Medium
Confidence
76% confidence
Finding
The documentation promises writes only under the current working directory and explicitly says not to use /tmp, but the implementation falls back to the home directory and temporary directory. This discrepancy can defeat operator expectations and policy controls, causing sensitive response data to be written to less trusted locations than advertised.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger scope is broad enough to activate on generic mentions of Eureka or patent abstract lookup, even when the user may not be asking for translation. Overbroad triggering can cause unintended tool use, unnecessary external queries, and avoidable token or credit consumption for the wrong task.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill specifies automatic writing of full API responses to a session-linked project directory without making that behavior prominent in the main behavior description or requiring upfront consent. This can silently retain user-supplied patent identifiers, outputs, and session-correlated metadata on disk beyond the immediate interaction.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The feedback API accepts arbitrary content but does not warn that submitted text is transmitted to an external service. Without a user-facing disclosure and consent step, an agent may forward user statements, prompts, or derived summaries off-platform, causing unintended disclosure of sensitive or proprietary information.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill mandates persistent storage of complete API responses in a session-linked directory, which can accumulate user-provided identifiers, translated content, and associated metadata across tasks. Because storage is automatic and tied to the working project directory, it increases the risk of unintended disclosure, over-retention, and downstream access by other tools or collaborators.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.