Back to skill

Security audit

Epo Patent Intelligence

Security checks across malware telemetry and agentic risk

Overview

This skill is a plausible patent-reporting tool, but it includes hard-coded tunnel credentials and scripts that can publish local reports to an external Cloudflare domain with more authority and less disclosure than users should accept unchecked.

Install or run only in an isolated environment after removing the hard-coded Cloudflare token, verifying who controls hermes.sqncr.ai, and deciding whether public report hosting is acceptable. Provide EPO credentials through a managed secret mechanism, do not run the tunnel or cron scripts as root without audit, and review any generated reports before relying on them for business decisions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (71)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The document states that no data is sent to external services except the EPO API, but elsewhere it directs use of external LLM analysis, CDN-hosted frontend assets, and hosted report deployment. This misrepresentation can cause operators to expose patent data, business intelligence, and report contents to third parties without informed consent or proper review.

Context-Inappropriate Capability

Medium
Confidence
71% confidence
Finding
The script directly reads a local .env file from an absolute workspace path and immediately uses the recovered secrets to authenticate to an external service. In an agent-skill context, this is risky because the skill accesses local credentials without user gating or clear necessity boundaries, increasing the chance of unintended secret use or abuse if the skill is repurposed.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The document embeds a live Cloudflare tunnel token directly in recovery commands, which exposes a credential that can be reused by anyone with access to the file. Because this is operational documentation intended to be followed during incidents, the secret is likely to be copied, logged, or propagated further, increasing the chance of unauthorized tunnel use or service impersonation.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The report exposes sensitive operational details such as a public service URL, internal process information, infrastructure state, and database location, then explicitly asserts that no security vulnerabilities were identified. This can create false assurance while materially aiding reconnaissance for an attacker by mapping reachable services and operational dependencies.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The report asserts that it contains real EPO patent data, yet the document includes conflicting totals, duplicated sections, and clearly demo-style content. In a business intelligence context, this is dangerous because users may rely on false or mixed provenance data for strategic decisions, creating integrity and trust risks even without code execution.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The report claims to contain real patent data, yet the page includes inconsistent totals and clearly mixed synthetic/example entries elsewhere in the document. In a competitive-intelligence context, this can mislead users into trusting fabricated or stale information, causing bad business decisions and undermining integrity of the report.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The report asserts that it contains real patent data and a specific count, but the page contains conflicting totals and obvious templated/demo entries elsewhere in the file. In a competitive intelligence context, this can mislead internal users into making business decisions based on fabricated or mixed-quality data, which is a security-relevant integrity issue.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The page explicitly claims to contain real EPO patent data while the file contains conflicting totals such as 48 patents in the title, 37 analyzed in the header, 47 total patents in the summary, 37 total in the patent section, and 20 patents in the data-source note. This is dangerous because users may rely on materially inaccurate competitive-intelligence output for business decisions, and the false claim of real-source integrity increases the likelihood of misplaced trust.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The document presents itself as a current weekly 2026 report, but later includes sample/demo-style content, older dated example patents, and a narrative timeline that does not align with the stated report scope. This creates a deceptive mixed-trust artifact where synthetic/sample content is indistinguishable from purported live intelligence, increasing the risk of operational misuse.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The document repeatedly claims to show 'real' weekly patent data, but the content contains obvious contradictions and mixed placeholder/demo material, such as inconsistent totals, duplicated sections, and sample-looking competitor cards. In a business intelligence context, this is dangerous because users may act on fabricated or stale information while believing it is authoritative internal analysis.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The document presents materially inconsistent claims about patent counts and data provenance, while the body contains duplicated sections and conflicting totals. In a competitive-intelligence skill, this can mislead users into making business decisions based on inaccurate or fabricated analysis, which is a real integrity issue even though it is not code execution.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The script presents itself as an "Independent" and "Blind Evaluation" while using hard-coded scores, fixed strengths/weaknesses, and a predetermined recommendation favoring Version B. This is dangerous because it fabricates objective review output and can be used to launder a preselected decision as if it were neutral analysis, undermining trust in downstream business or governance decisions.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
Although the function claims to compare baseline and enhanced reports, it reads both files but largely ignores the baseline content and emits canned conclusions about each version. In the context of an agent skill that is supposed to perform independent evaluation, this mismatch is deceptive and can systematically bias users toward a chosen outcome.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
Although presented as a debugging script, it prints the first part of the consumer key, secret key, and access token to stdout. Even partial credential disclosure materially increases exposure in shared terminals, CI logs, shell history capture, or centralized log systems, and the misleading debug framing makes accidental execution more likely.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The script unconditionally kills any process whose command line matches "python3 -m http.server" before starting its own server. This is dangerous because it can disrupt unrelated services owned by the same user or system, causing unintended denial of service and making the script affect resources outside its stated scope.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The script description understates what it actually does: it not only restarts a tunnel but launches a new HTTP server serving a local reports directory and exposes it publicly through Cloudflare. This mismatch can mislead operators into unintentionally publishing sensitive local content, especially because the served path is an internal workspace directory under /root.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The script description claims it only restarts a tunnel, but it also force-kills matching Python HTTP server processes and launches a new local web server serving the reports directory. This mismatch is security-relevant because operators may run it without realizing it exposes local content over HTTP and then publishes it through a tunnel, increasing the chance of accidental data exposure.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
Although presented as a routine weekly rotation utility, the script also generates a deployment helper that force-kills existing services and publishes local content through a Cloudflare tunnel. In an agent skill context, that expands the blast radius from local file management to network exposure of data and service manipulation, making the behavior materially more dangerous than the filename/comments suggest.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The script claims to start a tunnel for patent reports, but it first issues broad `pkill` commands for all `python3 -m http.server` and `cloudflared` processes on the host. This can terminate unrelated services owned by the same user or system, causing denial of service and unsafe interference beyond the skill's stated scope.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The commands on these lines kill every matching local HTTP server and every `cloudflared` instance, not just a previous instance of this script. In a shared or multi-service environment, that behavior can disrupt legitimate tunnels or web servers and create avoidable service outages.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The script embeds a hard-coded Cloudflare tunnel token and uses it to expose a localhost service to the public Internet. A credential committed in a skill can be reused by anyone with access to the file, and the tunnel bypasses the normal expectation that `localhost:8080` is only locally reachable, making unintended data exposure or remote interaction much more likely.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The script is presented as a documentation verifier, but it performs state-changing actions by modifying file permissions. This violates the principle of least surprise and can cause unintended repository or environment changes when a user expects a read-only audit tool.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
During the required scripts check, the verifier automatically changes execute permissions instead of only reporting the issue. A user invoking a check may unknowingly alter tracked files, CI workspaces, or deployment artifacts, which is risky in security-sensitive or reproducible environments.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The configuration validation step is not purely observational because it can change .env permissions later in the same check flow. Mixing validation with mutation can surprise operators and may break workflows that rely on different ownership or permission models.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script instructs a downstream agent to update an Obsidian vault even though the file’s stated purpose is weekly patent-report automation. This expands the skill’s operational scope from report generation into modifying an external knowledge store, which can cause unintended file changes, data propagation, or agent overreach if the downstream agent follows these directions automatically.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.