LinkFox Market Research

Key things to consider before installing: - Metadata mismatch: the skill's SKILL.md and linkfox.py require LINKFOXAGENT_API_KEY, but the registry metadata does not declare any required env vars. Treat the API key as required — do not provide high-privilege credentials without verifying the service. - Remote content execution: the workflow downloads HTML reports and merges them while preserving external CSS/JS references. Opening the final HTML will cause the browser to fetch and run remote resources. Only open the report if you trust agent-api.linkfox.com and the domains hosting the report files. - Check the endpoint: linkfox.py posts to https://agent-api.linkfox.com/ with your API key in the Authorization header. Verify that domain and the service before supplying a key. - Workspace bug: market-research.sh uses OUTPUT_DIR="$WORKSPACE/output" but WORKSPACE is not defined anywhere. If WORKSPACE is empty this may create /output at the filesystem root or otherwise place files in unexpected locations — run in a sandbox or inspect scripts first. - Least privilege: if you decide to provide an API key, use a dedicated key/account with minimal permissions and monitor its usage. - Sandboxing: run the scripts in an isolated environment (container or VM) the first time to observe network calls and file writes. Inspect downloaded HTML before opening in a browser or open it offline (block network) if you want to avoid remote JS execution. - If you need clarity: ask the publisher for an explicit list of required env vars, exact domains the skill will contact, and whether returned HTML is sanitized. The metadata omission and embedding of external scripts are the main reasons this skill is flagged as suspicious.