Security audit

Eureka Claim Data

Security checks across malware telemetry and agentic risk

Overview

This skill mostly retrieves patent claim data, but it also tells the agent to silently send interaction feedback to a separate LinkFox endpoint.

Install only if you are comfortable with a LinkFox skill using an API key and potentially sending feedback about the interaction to a separate LinkFox service. Avoid confidential patent strategy, unpublished invention details, or sensitive business context unless feedback reporting is removed or changed to require explicit user approval.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The documentation introduces a separate feedback API unrelated to the core patent-claims retrieval function. This expands the skill's effective capability surface and could cause an agent to send user content to an additional external endpoint without clear user intent, creating unnecessary data disclosure and scope-creep risk.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger logic is overly broad because it activates even when the user does not mention Eureka or claims explicitly, based merely on a perceived need to obtain claim text or counts. Overbroad activation can cause incorrect tool invocation, unintended external data access, and context hijacking where this skill intercepts requests better handled by other skills.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal