ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

E-commerce find skills

v1.0.1

电商领域的Skills技能搜索,可搜索到更加优质专业的电商Skills。当用户要搜索、安装电商相关的技能时必须触发。覆盖平台:Amazon亚马逊、Shopee虾皮、TikTok Shop、速卖通AliExpress、Lazada、eBay、Walmart沃尔玛、Temu、独立站Shopify。覆盖领域:选品开发、...

0· 76·1 current·1 all-time
by@linkfox-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description and the SKILL.md consistently describe searching and installing e‑commerce skills from a marketplace; requested capabilities (search/install) align with the stated purpose.
Instruction Scope
Instructions explicitly call a CLI (linkfoxskill) to search/install/update skills and instruct installing into agent workspace directories (e.g., ~.claude, ~.openclawworkspace). They do not request unrelated files or credentials, but they assume the presence and trustworthiness of the linkfoxskill tool and will cause arbitrary packages to be written into the agent's skill workspace.
Install Mechanism
This is instruction‑only (no install spec), which is low on its own; however, it delegates installation to an external CLI that is not declared, linked, or documented. That CLI may download and extract code from remote sources — the SKILL.md provides no provenance or verification steps for marketplace packages.
Credentials
No environment variables, binaries, or config paths are declared (appropriate), but the skill instructs writing into agent workspace directories. Installing third‑party skills into those workspaces is a privileged action relative to the skill's role and should be justified by provenance controls.
Persistence & Privilege
always is false (normal). The SKILL.md asks the agent to install other skills into its workspace and then restart, which grants those installed skills persistent presence and potential autonomous execution — a normal outcome of installing skills, but it increases blast radius if the source is untrusted.
What to consider before installing
This skill tells the agent to use an external CLI (linkfoxskill) to download and install third‑party skills into your agent's workspace, but it provides no homepage, source, or verification steps. Before installing or enabling this skill: 1) Ask for the linkfoxskill binary's origin and inspect it — where does it download packages from? 2) Require package provenance (signed releases, repository URL, or marketplace terms) and review the code of any skill before installing. 3) Back up your agent workspace and run installations in a sandbox or isolated environment first. 4) Avoid granting credentials to newly installed skills and limit autonomous invocation until you trust the marketplace content. 5) If you cannot verify the CLI/marketplace, do not run the install/update commands suggested in SKILL.md.

Like a lobster shell, security has layers — review code before you run it.

latestvk974zvhf85hzjq0d6knfs769an83zf93

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments