Patent Assistant

Security checks across malware telemetry and agentic risk

Overview

This skill matches its patent-drafting and patent-search purpose, but patent search queries can be sent to public third-party search sites.

Install only if you are comfortable using public patent-search services for your search terms. For unpublished inventions or trade secrets, draft locally first, search with short non-confidential keywords, avoid the all-platform option when unnecessary, and do not use HTTP-based sources for sensitive queries.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill instructs use of a local script and multiple external patent-search platforms, which implies network access and likely file I/O, yet no permissions are declared. This creates a capability/permission mismatch that can bypass user expectations and platform controls, especially because user-provided patent content may be sensitive, unpublished technical information.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger conditions are broad phrases such as writing patents, disclosures, searches, and novelty checks, which can overlap with ordinary discussion and cause accidental invocation. In this context, misrouting is risky because the skill may encourage sending sensitive R&D details into a workflow that performs external searches, increasing confidentiality and data-leakage exposure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal