Back to skill

Security audit

patent-search

Security checks across malware telemetry and agentic risk

Overview

This is mostly a coherent patent/IP search skill, but it needs review because export can silently install extra Python packages and create local files.

Review before installing. Use it only if you are comfortable sending patent/IP queries and identifiers to 9235 with your API token, creating local export/download files, and accepting that export may install openpyxl or python-docx automatically. Prefer running it in an isolated environment or preinstalling vetted dependencies yourself.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Description-Behavior Mismatch

Medium
Confidence
81% confidence
Finding
The manifest description omits documented copyright and trademark search capabilities, so the visible scope is narrower than the actual documented functionality. While not inherently malicious, this can mislead users, reviewers, and policy systems about what data will be queried and what external services will be used.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The file can automatically install Python packages by invoking `uv pip install` or `pip install` during normal execution. In a patent search skill, runtime dependency installation is unnecessary for core search behavior and expands the attack surface to network/package-supply-chain risk, environment drift, and unexpected code execution from downloaded packages.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The CLI exposes copyright and trademark operations even though the skill metadata describes the capability as patent search and analytics. This creates a scope mismatch that can mislead users, policy engines, or permission reviews into approving broader data access and functionality than expected.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The skill manifest describes a patent-search capability, but the code also exposes trademark and copyright search methods. This scope mismatch is security-relevant because it creates hidden functionality that users, operators, and policy reviewers would not expect, weakening least-privilege and review assumptions.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill includes local file download-and-write capabilities that are not described in the manifest. Undeclared filesystem write behavior is dangerous because it expands the skill from read/query operations into state-changing local side effects, enabling disk abuse, persistence of untrusted content, or unsafe handling of attacker-controlled filenames/paths.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Generic remote file download is not justified by a patent-search analytics skill and materially increases risk. Even though the URL host is fixed, the code fetches arbitrary server-side content based on caller-supplied paths and writes it locally, which can be abused to store malicious or unexpected files and to consume disk/network resources.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly promotes network-backed patent, company, and analytics queries against a third-party API plus Excel export, but it does not clearly warn that user-supplied search terms and company names will be transmitted to an external service or that exported files may persist sensitive results locally. In an agent context, users may assume a built-in skill is local or trusted, so the missing disclosure increases the risk of unintended data disclosure and unsafe file handling.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill handles credentialed third-party API requests and supports local downloads/exports, but the description does not clearly warn that user queries may be transmitted to 9235 and that files may be written locally. This creates a transparency and privacy risk, especially if users submit sensitive company names, invention concepts, or proprietary search terms expecting only local processing.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This code attempts package installation automatically and silently, with no visible confirmation or informed consent at the point of execution. That can surprise operators, violate least astonishment, and permit unreviewed modification of the runtime environment, which is especially risky in shared or production agent contexts.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The PDF download function writes a file to disk without any user-facing warning, confirmation, or visible notice in the code path. Silent local writes are risky in agent contexts because users may believe they are only querying data, while the skill is actually modifying local state and persisting remote content.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The image download function similarly performs silent filesystem writes without confirmation. In an agent environment, this undermines transparency and can surprise users with local artifacts created from untrusted remote content.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.dynamic_code_execution

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
excel_export.py:33

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
patent_skill.py:28