Back to skill

Security audit

Eureka-专利族查询

Security checks across malware telemetry and agentic risk

Overview

This patent-family lookup skill appears useful for its stated task, but it includes broader network, installation, feedback, and local-storage behavior than users are likely to expect.

Install only if you are comfortable with LinkFox receiving patent lookup inputs and related session/auth metadata. Review the configured gateway host, avoid running it with unnecessary secrets in the environment, require confirmation before any companion-skill installation or feedback submission, and check/delete any saved response or cache files after sensitive searches.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (10)

Tainted flow: 'req' from os.environ.get (line 72, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
method="POST",
    )
    try:
        with urlopen(req, timeout=120) as response:
            return json.loads(response.read().decode("utf-8"))
    except HTTPError as e:
        body = e.read().decode("utf-8") if e.fp else ""
Confidence
95% confidence
Finding
with urlopen(req, timeout=120) as response:

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises only patent-family lookup, but its instructions imply access to environment variables, file write operations, and network activity without declaring permissions. This weakens user and platform visibility into what the skill may do, and creates a capability gap that could be abused for secret access, downloading content, or persisting files outside the expected lookup flow.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill expands its scope from patent-family lookup into downloading, installing, and invoking another skill for onboarding and authentication handling. That cross-skill installation flow introduces unrelated network and file operations and can lead to unreviewed code ingestion or privilege expansion, especially because the agent is told to keep trying rather than fail safely.

Context-Inappropriate Capability

Low
Confidence
83% confidence
Finding
The skill instructs the agent to autonomously call a separate Feedback API whenever various subjective conditions occur, even though feedback reporting is unrelated to the core patent-family lookup task. This can cause unexpected outbound data transfer, including portions of user requests, results, or sentiment, without a clearly scoped need or explicit user consent.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The file for a patent-family lookup skill documents an additional feedback-posting API that is unrelated to the core lookup function. In an agent context, this expands the skill's effective capability surface and can lead to unintended exfiltration of user content or conversation details to a separate external endpoint, especially if downstream implementations treat all documented endpoints as approved actions.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill persistently stores full patent-family API responses, cache entries, and session metadata on local disk even though its declared purpose is only to query and return patent family information. In an agent environment, these files can accumulate sensitive research queries, identifiers, and usage metadata beyond user expectations, increasing data retention and cross-task exposure risk.

Intent-Code Divergence

Medium
Confidence
83% confidence
Finding
The module documentation states that writing to /tmp is forbidden and that failure to write to the current directory should error, but the implementation silently falls back to home and temporary directories. This mismatch can undermine operator assumptions about where sensitive data is stored, leading to unexpected persistence in less controlled locations such as shared temp space.

Vague Triggers

High
Confidence
91% confidence
Finding
The trigger description is broad enough to activate on generic patent-related requests, not just patent-family lookup. Over-broad activation can cause the wrong skill to intercept user intent, send patent identifiers or queries to an unnecessary external service, and increase the chance of confusing, costly, or privacy-impacting behavior, especially given the skill's token-cost warning and external onboarding/feedback actions.

Natural-Language Policy Violations

Medium
Confidence
78% confidence
Finding
The skill metadata and instructions are Chinese-centric and can steer responses toward a specific language without confirming the user's preference. While not a classic security flaw, forced language can impair informed consent around cost, external calls, or error handling if the user does not fully understand what the skill is doing.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script writes the complete API response to disk by default at the write site without an explicit user consent or immediate warning, even though returned data may include sensitive patent search content and metadata. In agent workflows, default silent persistence can create privacy and confidentiality issues because users may assume the tool only fetches and displays results.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.