Back to skill

Security audit

Zhihuiya Pdf

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed patent-PDF lookup tool that uses a LinkFox/Zhihuiya API, with some privacy and local-storage caveats users should understand.

Install only if you are comfortable sending patent identifiers and related request metadata to LinkFox/Zhihuiya and storing returned PDF-link data in local plain JSON files. Avoid using it for confidential patent searches unless you manage the cache/output directory and confirm before using the external paid lookup for generic patent-PDF requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The docstring explicitly says writing to `/tmp` is forbidden and that failure should occur if the current directory is not writable, but the implementation falls back to `~/linkfox` and then the system temp directory. That mismatch can cause sensitive API responses to be stored in locations the user would not expect, weakening data-handling guarantees and potentially exposing patent-related data to other local users or less-protected storage.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger text is explicitly broad enough to activate on generic patent-PDF requests even when the user did not ask for Zhihuiya specifically. That can cause unintended tool invocation, unnecessary paid API usage, and disclosure of user queries to an external service outside the user's clear intent.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script sends arbitrary user-supplied JSON parameters plus session metadata to a remote service, but the user-facing usage/help text does not clearly disclose that this data leaves the local environment. In a skill context, users may treat the tool as a local helper; undisclosed transmission of potentially sensitive patent queries or document identifiers increases privacy and compliance risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script persistently caches and saves full API responses to disk, including under a shared `linkfox/.cache` area and session data directories, without prominent retention disclosure or controls. If responses contain sensitive patent data, identifiers, or account-related details, this creates local data exposure risk and may leave recoverable artifacts beyond the user’s expectations.

Ssd 3

Medium
Confidence
97% confidence
Finding
The skill directs the system to always persist full API responses in a session-based path under the project working directory and to print complete JSON to stdout for smaller responses. This creates a plain-text data exposure risk through local files, repository/workspace artifacts, shell history, logs, CI captures, or other tooling that can access the working directory or console output.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.