ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

bolo-jiimore

v1.0.0

Amazon niche market analysis tool for cross-border e-commerce product selection. Retrieves detailed market data including demand scores, competition analysis...

0· 49·0 current·0 all-time
byzhaoxing@ctzys
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description and included files (SKILL.md, README, Jiimore.md, client code) are consistent: the bundle implements an Amazon niche-market analysis client that talks to LinkFoxAgent and returns the described metrics.
!
Instruction Scope
SKILL.md and references instruct the agent/user to set LINKFOXAGENT_API_KEY and to call https://test-tool-gateway.linkfox.com endpoints; the code and examples also read that env var. There are no instructions to access unrelated system files, but the SKILL.md is truncated in the listing and the package encourages exporting results to disk (examples write JSON files). The main concern is that the runtime instructions require a secret (API key) which is not declared in the registry metadata.
Install Mechanism
No install spec; this is an instruction-only skill with accompanying example Python code. Nothing is downloaded automatically by the skill itself, so risk from arbitrary installers is low. The included Python client uses requests and standard file I/O (expected).
!
Credentials
The SKILL.md, README.md, references/API-Overview.md, and scripts/jiimore_client.py all require LINKFOXAGENT_API_KEY for authorization. However, the registry metadata lists no required environment variables or primary credential — a clear mismatch. Requesting a single API key is proportionate for this purpose, but the metadata omission is suspicious and should be corrected/clarified before trusting the skill.
Persistence & Privilege
Skill has always:false and does not request persistent or elevated agent privileges. It does not modify other skills or system settings. Example scripts write JSON/exports locally, which is expected for a data client.
What to consider before installing
This package looks like a legitimate Amazon market-analysis client, but there are two things to check before installing or providing credentials: (1) the registry metadata does NOT declare that LINKFOXAGENT_API_KEY is required, yet SKILL.md and the Python client both require it — ask the publisher to correct the metadata and explain how the key is used; (2) verify you trust the endpoint host (https://test-tool-gateway.linkfox.com) and the skill source (no homepage / unknown source ID). If you proceed, restrict and rotate the API key, avoid sharing it publicly, and prefer creating a key with minimal scope/permissions. If you need higher assurance, request the publisher's provenance (homepage or repo) and a signed release or run the included Python code in an isolated environment and audit network calls.

Like a lobster shell, security has layers — review code before you run it.

latestvk97629sqejb1kxwb302415g03583vs2q

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments