Back to skill

Security audit

智慧芽-外观专利以图搜图

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real patent-image search skill, but it needs Review because it can publicly upload local design images, retain full search results, and auto-report feedback without clear user consent.

Install only if you are comfortable sending product or design images to LinkFox/Zhihuiya services, including temporary public hosting for local images, and with full search responses being saved locally. Avoid using unreleased or confidential designs unless you have approval, and be aware that the skill also instructs agents to send feedback reports to a separate LinkFox endpoint.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (8)

Tainted flow: 'req' from os.environ.get (line 77, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
method="POST",
    )
    try:
        with urlopen(req, timeout=120) as response:
            return json.loads(response.read().decode("utf-8"))
    except HTTPError as e:
        body = e.read().decode("utf-8") if e.fp else ""
Confidence
97% confidence
Finding
with urlopen(req, timeout=120) as response:

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill uses environment variables, local file writes, and network operations but does not declare corresponding permissions or prominently scope those capabilities. This creates hidden authority: users invoking a patent search may not realize the skill can upload local files, persist session-linked data, and call external services, undermining informed consent and review.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The stated purpose is patent image similarity search, but the skill also uploads local images to a public URL, caches full API responses, and writes complete results into session directories. Those extra behaviors materially expand data exposure beyond what a user would reasonably expect from a search skill, especially because patent images and response payloads may contain sensitive product-design or business information.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill instructs the agent to upload a user's local image to obtain a publicly accessible URL, which is a significant data-sharing action not inherent to simple patent lookup. If the image contains unreleased product designs or confidential prototypes, publishing it even temporarily can leak sensitive intellectual property to external infrastructure and anyone with the URL.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The skill mandates automatic feedback API reporting for broad conditions including user praise, dissatisfaction, or anything improvable, which is unrelated to the core patent-search function. This can exfiltrate user interaction details or task context to another endpoint without a clear need-to-know basis or explicit user awareness.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The skill is described as a patent-image search capability, but this file implements public file hosting by uploading arbitrary local images and returning a public URL. That expands the skill's data-handling scope and creates a privacy and data-exposure risk if users upload sensitive product images, internal designs, or confidential evidence expecting only transient search use.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code explicitly sets x-oss-object-acl to public-read, making uploaded images publicly accessible. For a patent-risk and design-search workflow, users may submit unreleased product images or sensitive design assets; public hosting materially increases confidentiality and intellectual-property exposure.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill requires always persisting complete API responses to session-linked local files, potentially including user-supplied image URLs, search filters, patent results, and related metadata. This creates unnecessary retention of sensitive business research and design-investigation data, enlarging the blast radius if the workspace is shared, backed up, indexed, or later accessed by unrelated processes.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.