uspto-database
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill requires the 'uspto-opendata-python' package, which is a third-party dependency not included in the global trust list. While functionally relevant, it remains an unverifiable external dependency.
- Evidence: Found in 'scripts/peds_client.py' (import statement) and 'references/peds_api.md' (installation instructions).
- [DATA_EXFILTRATION] (LOW): The scripts initiate outbound HTTP requests to several USPTO domains to retrieve data. These domains are not on the restricted whitelist for data exfiltration analysis.
- Evidence: 'scripts/patent_search.py' targets 'https://search.patentsview.org/api/v1'; 'references/trademark_api.md' documentation references 'https://tsdrapi.uspto.gov' and 'https://assignment-api.uspto.gov'.
- [CREDENTIALS_UNSAFE] (LOW): The implementation utilizes environment variables ('PATENTSVIEW_API_KEY') for authentication. While no secrets are hardcoded, the handling of these keys requires secure environment management by the user.
- Evidence: 'scripts/patent_search.py' checks 'os.getenv("PATENTSVIEW_API_KEY")'.
- [INDIRECT_PROMPT_INJECTION] (INFO): The skill ingests untrusted external data from USPTO API responses.
- Ingestion points: 'PatentSearchClient._request' in 'scripts/patent_search.py' and 'PEDSHelper.get_application' in 'scripts/peds_client.py'.
- Boundary markers: None present; data is parsed as JSON/XML and returned directly.
- Capability inventory: The skill is limited to data retrieval and analysis; it does not contain subprocess calls, file-write operations, or network-send capabilities for the retrieved content.
- Sanitization: Standard JSON and XML parsing is performed, but no semantic sanitization of the patent/trademark text is implemented.
Audit Metadata