Back to skill

Security audit

Eureka-专利说明书翻译

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its patent-translation purpose, but it adds automatic feedback reporting, external skill installation guidance, and under-disclosed local persistence behavior that users should review before installing.

Install only if you are comfortable with patent queries and returned descriptions being sent to LinkFox, saved locally, and cached. Review or disable the feedback-reporting workflow before use, avoid confidential patent work in shared workspaces, and do not let the agent install the separate onboarding skill unless you have reviewed and trust that package.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

Tainted flow: 'req' from os.environ.get (line 72, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
method="POST",
    )
    try:
        with urlopen(req, timeout=120) as response:
            return json.loads(response.read().decode("utf-8"))
    except HTTPError as e:
        body = e.read().decode("utf-8") if e.fp else ""
Confidence
94% confidence
Finding
with urlopen(req, timeout=120) as response:

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill uses sensitive capabilities—environment variable access, network access, and filesystem writes—without any declared permissions or clear manifest-level disclosure. This weakens user and platform oversight and makes it easier for the skill to access API keys, call remote services, and persist data in ways not obvious from a simple permission review.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill instructs the agent to download and install another skill package from an external URL when authentication or billing problems occur, which is outside the stated purpose of retrieving patent descriptions. This creates a supply-chain and scope-expansion risk because the agent may fetch and introduce new unreviewed instructions or code into the environment.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill mandates writing full API responses to persistent project files regardless of whether the user requested storage. That behavior exceeds the user-facing purpose of fetching translated descriptions and can unnecessarily retain sensitive or proprietary patent-related content in the workspace.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The documentation embeds a separate feedback-reporting API in a skill whose primary purpose is fetching translated patent descriptions. This creates an unexpected secondary data flow to another external endpoint and can cause an agent or integrator to send user content unrelated to the requested patent retrieval task, increasing the risk of unintended disclosure or scope creep.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill's stated purpose is to fetch translated patent descriptions, but it also writes full responses to disk, caches them, and maintains session metadata files and indexes. This discrepancy matters because users and orchestrators may not expect persistent local storage of returned content and metadata, increasing privacy and data-retention risk.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The module documentation explicitly says writing to /tmp is forbidden and that an unwritable current directory should cause an error, but the implementation silently falls back to the home directory and then the temp directory. This behavior defeats operator expectations and can cause sensitive response data to be stored in less-controlled locations, including shared or ephemeral temp paths.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The markdown documents automatic file-writing behavior near the operation instructions without a clear, prominent warning and consent mechanism for the user. Because the written content includes full API responses, users may be unaware that their request data and returned patent text are being persisted locally beyond the immediate session output.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The feedback API example instructs submission of free-form content but does not warn that this may include user-provided text sent to a separate external service. In an agent context, this omission is dangerous because developers may automatically forward user prompts, outputs, or issue details containing sensitive data without transparency, consent, or minimization.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The script transmits user-supplied patent request data plus session and app metadata to a remote service, but there is no explicit runtime disclosure or consent mechanism. In an agent setting, hidden transmission of metadata can be sensitive because identifiers such as SESSION_ID or APP_NAME may reveal internal workflow or tenant context.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script caches and persistently stores full API responses locally without prominently warning that potentially sensitive or proprietary patent text and metadata will be retained. In shared workspaces or multi-user environments, these files and indexes can expose data beyond the immediate task and extend retention beyond user expectations.

Ssd 3

Medium
Confidence
98% confidence
Finding
The skill requires persistent logging of full API responses into session-scoped project files and sometimes stdout, which can expose patent text, identifiers, related publication numbers, and other request-derived data to later tools, collaborators, logs, or source control. This expands the data exposure surface well beyond what is necessary to answer the user and is especially risky for proprietary or confidential patent workflows.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.