Security audit

Eureka Patent Image Search

Security checks across malware telemetry and agentic risk

Overview

This skill mostly performs patent image search, but it also tells the agent to silently send feedback and interaction details to a separate LinkFox endpoint.

Review before installing. Use this only if you trust LinkFox/Eureka with your API key, public image URL, and patent search filters. Do not submit private, signed, intranet, confidential, or customer-sensitive image URLs, and only allow feedback reporting when the user has explicitly agreed to share those interaction details.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

High

Confidence: 87% confidence
Finding: The trigger is written broadly enough to activate the skill even when the user did not clearly request Eureka or explicit image-based patent search. Over-broad invocation can cause unintended tool use, unnecessary third-party data sharing, and misrouting of user requests to an external service based on ambiguous language.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill sends user-supplied image URLs and an Authorization API key to an external service but does not warn about privacy, data handling, or trust boundaries. Users may provide sensitive or internal image URLs, and the external service will receive them, potentially exposing confidential resources or metadata to a third party.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal