AgentSkillsCN

attribution

在识别适用于软件产品的归属权要求时使用——开源许可证声明、第三方资产署名、API使用归属、字体许可、媒体许可,以及数据来源归属。涵盖不同资产类型与司法管辖区下,必须进行归属的内容、归属方式,以及归属位置。 适用场景:归属权要求、许可证声明、开源归属、Creative Commons、字体许可、图像许可、API归属、数据归属、NOTICE文件、第三方署名、UI中的归属、文档中的归属。 不适用场景:选择开源许可证(应使用开源许可相关工具)、知识产权纠纷(应使用知识产权相关工具)、内容审核义务(应使用内容审核相关工具)。

SKILL.md
--- frontmatter
name: attribution
description: |
    Use when identifying attribution requirements that apply to software products — open-source license notices, third-party asset credits, API usage attribution, font licensing, media licensing, and data source attribution. Covers what must be attributed, how, and where across different asset types and jurisdictions.
    USE FOR: attribution requirements, license notices, open-source attribution, Creative Commons, font licensing, image licensing, API attribution, data attribution, NOTICE files, third-party credits, attribution in UI, attribution in documentation
    DO NOT USE FOR: choosing open-source licenses (use open-source-licensing), IP ownership disputes (use intellectual-property), content moderation obligations (use content-moderation)
license: MIT
metadata:
  displayName: "Attribution"
  author: "Tyler-R-Kendrick"
compatibility: claude, copilot, cursor

Attribution

Disclaimer: This skill provides general educational information about legal topics relevant to software development. It is not legal advice. Laws vary by jurisdiction and change frequently. Always consult a qualified attorney licensed in the relevant jurisdiction before making legal decisions for your organization.

Overview

Attribution is a legal obligation that arises from many sources — open-source licenses, Creative Commons media, font licenses, API terms of service, data provider agreements, and more. Failing to provide required attribution can constitute license violation (risking license termination and copyright infringement claims), breach of contract, or regulatory non-compliance. Many companies underestimate attribution requirements because the obligation is spread across dozens of different asset types, each with its own rules.

Attribution by Asset Type

Asset TypeCommon Licenses/TermsAttribution RequiredWhere to Attribute
Open-source librariesMIT, Apache 2.0, BSD, GPL, LGPL, MPLYes (nearly all OSS licenses)NOTICE file, about/legal screen, documentation
FontsOFL (SIL Open Font License), proprietary EULAOFL: yes; Proprietary: per EULAFont credits page, CSS comments, documentation
Images / IconsCreative Commons, stock photo licenses, proprietaryCC BY: yes; Stock: per license; Proprietary: per contractImage credits, about page, metadata
Audio / VideoCreative Commons, royalty-free licenses, sync licensesCC BY: yes; Royalty-free: per licenseCredits section, end cards, metadata
DatasetsCC BY, ODC-BY, government open data licensesCC BY/ODC-BY: yes; Some government: yesData source citations, documentation
APIsTerms of service, developer agreementsMany require "powered by" brandingUI badge/logo, documentation, per ToS
MapsGoogle Maps Platform, Mapbox, OpenStreetMapYes (all major providers)Map overlay attribution, per ToS
AI/ML modelsModel cards, Hugging Face licenses, proprietaryVaries — many require model creditDocumentation, about page, per license

Open-Source Attribution

Open-source attribution is the most common and most frequently violated attribution requirement in software.

What Most OSS Licenses Require

LicenseRequirementsNOTICE FileLicense TextCopyright Notice
MITInclude copyright notice + license text in copiesRecommendedRequiredRequired
Apache 2.0Include NOTICE file + license text; state changesRequiredRequiredRequired
BSD 2-ClauseInclude copyright notice + license textRecommendedRequiredRequired
BSD 3-ClauseSame as 2-Clause + no endorsement clauseRecommendedRequiredRequired
ISCInclude copyright notice + license textRecommendedRequiredRequired
MPL 2.0License text in source files; larger work can be proprietaryPer-fileRequired (per file)Required
LGPL 2.1/3.0License text + copyright + link to source for modificationsRequiredRequiredRequired
GPL 2.0/3.0Full license + copyright + source offer for binariesRequiredRequiredRequired
AGPL 3.0Same as GPL + network interaction triggersRequiredRequiredRequired

NOTICE File Structure

The standard approach for bundling attribution in a distributable product:

code
NOTICE

This product includes software developed by third parties.

================================================================================
Library: react
Version: 18.2.0
License: MIT
Copyright (c) Meta Platforms, Inc. and affiliates.
================================================================================

================================================================================
Library: lodash
Version: 4.17.21
License: MIT
Copyright JS Foundation and other contributors
================================================================================

================================================================================
Library: express
Version: 4.18.2
License: MIT
Copyright (c) 2009-2014 TJ Holowaychuk
Copyright (c) 2013-2014 Roman Shtylman
Copyright (c) 2014-2015 Douglas Christopher Wilson
================================================================================

Automation Tools

ToolEcosystemOutput
license-checkernpmJSON/CSV/Markdown of all dependency licenses
license-reportnpmDetailed license report with texts
pip-licensesPythonTabular license output for pip packages
go-licensesGoLicense detection and NOTICE file generation
dotnet-project-licenses.NETNuGet package license report
FOSSAMulti-languageFull compliance management platform
SnykMulti-languageLicense auditing as part of SCA
licenseFinderMulti-language (Ruby-based)Approve/deny license policies

Where to Display OSS Attribution

Distribution MethodWhere to Show Attribution
Web application (SaaS)"Legal" or "Open Source Licenses" page linked from footer
Desktop applicationAbout dialog → "Third-Party Licenses" section
Mobile app (iOS)Settings → Licenses (use Settings.bundle or acknowledgements plist)
Mobile app (Android)About → Open Source Licenses (use oss-licenses-plugin for Gradle)
CLI tool--licenses flag or THIRD-PARTY-NOTICES.txt bundled in distribution
Library / SDKNOTICE or THIRD-PARTY-NOTICES file in package root
Container image/licenses/ directory or NOTICE file in image root
DocumentationAcknowledgements section in README or docs site

Creative Commons Attribution

Creative Commons licenses are common for media, data, and documentation.

LicenseAttribution RequiredShare AlikeCommercial Use
CC0NoNoYes
CC BY 4.0YesNoYes
CC BY-SA 4.0YesYes (derivatives same license)Yes
CC BY-NC 4.0YesNoNo
CC BY-NC-SA 4.0YesYesNo
CC BY-ND 4.0YesNo (no derivatives)Yes

Proper CC BY Attribution (TASL)

Creative Commons specifies the TASL format:

  • Title — name of the work
  • Author — creator name (linked to profile if available)
  • Source — URL where the work was found
  • License — license name linked to the license deed

Example:

code
"Sunset Over Mountains" by Jane Smith (https://example.com/photo/123)
is licensed under CC BY 4.0 (https://creativecommons.org/licenses/by/4.0/)

Font Licensing

Fonts carry their own licensing terms that are frequently overlooked.

LicenseAttributionEmbeddingModification
SIL Open Font License (OFL)Required (original name + copyright)Web/app/document embedding allowedAllowed (must rename modified version)
Apache 2.0 (some Google Fonts)Required (copyright + license)AllowedAllowed
Proprietary (Adobe, Monotype, etc.)Per EULAPer EULA (often limited seats/pageviews)Typically prohibited
Desktop-only licensesPer EULAWeb embedding NOT allowedPer EULA

Font Attribution Pitfalls

  • Web fonts loaded via Google Fonts CDN do not require separate attribution (Google's ToS handles it), but self-hosted Google Fonts do require including the license file.
  • Icon fonts (Font Awesome, Material Icons) have separate licenses for the font file vs the CSS/SVG — check both.
  • Custom font subsets may trigger modification clauses — OFL requires renaming modified fonts.

API and Service Attribution

Many APIs and services require visible attribution as a condition of use.

ServiceAttribution Requirement
Google Maps"Google" logo on map + "Map data ©20XX Google" + Terms link
Mapbox"© Mapbox" + "© OpenStreetMap" on map display
OpenStreetMap"© OpenStreetMap contributors" with link to copyright page
TwilioNo visible attribution required (per current ToS)
Stripe"Powered by Stripe" badge on checkout (optional but encouraged)
OpenAI APINo required attribution (per current ToS), but must not claim AI output is human-generated
GitHub APIMust comply with ToS; no mandatory badge
UnsplashAttribution appreciated but not required (Unsplash License)

Always check the current Terms of Service. API attribution requirements change with ToS updates. What was optional last year may be mandatory now.

Data Source Attribution

Data LicenseAttribution RequiredDerivative Works
Open Data Commons Attribution (ODC-BY)Yes — credit sourceYes
Open Data Commons ODbLYes — credit source + share alikeYes (same license)
CC BY 4.0 (for datasets)Yes — TASL formatYes
Government open data (US)Generally no (public domain)Yes
Government open data (UK)OGL — yes, crown copyrightYes
Government open data (EU)Varies by member stateVaries

Compliance Checklist

#CheckFrequency
1Audit all dependencies for license types and attribution requirementsEvery release
2Generate NOTICE/THIRD-PARTY-NOTICES file from dependency metadataEvery build (automate)
3Review media assets (images, icons, fonts, audio) for license termsWhen assets are added
4Check API ToS for attribution requirementsWhen integrating new APIs and on ToS change notifications
5Verify data source licenses for attribution and share-alike termsWhen incorporating new data sources
6Display attribution in the correct location for your distribution typeEvery release
7Verify modified fonts are renamed per OFL requirementsWhen customizing fonts
8Document attribution decisions in a central registerOngoing

Best Practices

  • Always consult legal counsel when unsure about attribution requirements — getting it wrong can terminate your license to use the software.
  • Automate NOTICE file generation as part of your CI/CD pipeline — tools like license-checker, FOSSA, and go-licenses catch new dependencies automatically.
  • Maintain a central attribution register that tracks every third-party component, its license, and where attribution is displayed.
  • Include attribution in your release checklist — it is easy to add a dependency and forget to update the NOTICE file.
  • Check API Terms of Service on a scheduled basis — attribution requirements change with ToS updates without notice.
  • Do not strip copyright notices or license headers from source files — many licenses explicitly require preserving them.
  • Display attribution accessibly — a legal/licenses page that users can actually find, not buried in an invisible footer.
  • Treat font licenses as seriously as code licenses — font piracy lawsuits are common and penalties can be per-seat or per-pageview.