ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Aba Data Explorer

v1.0.0

亚马逊ABA(品牌分析)搜索词数据的查询与分析,涵盖15个站点近3年的周维度数据。当用户提到ABA数据、亚马逊搜索词分析、关键词挖掘、搜索排名趋势、市场机会分析、季节性关键词、高点击低转化分析、蓝海词发现、竞品关键词分析、ABA data, search term report, keyword mining,...

0· 39·0 current·0 all-time
by@linkfox-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's purpose (querying Amazon Brand Analytics via a LinkFox gateway) aligns with the included code and API docs. However the registry metadata lists no required environment variables while both references/api.md and scripts/aba_query.py require an API key (LINKFOXAGENT_API_KEY). That mismatch is an incoherence in the package manifest.
Instruction Scope
SKILL.md and scripts/aba_query.py instruct only to build an analysisDescription, call the LinkFox ABA endpoint, and optionally create a download URL. They do not ask to read arbitrary local files or unrelated credentials. The skill will send query text and parameters to the external API, which is expected for this functionality.
Install Mechanism
No install spec; this is instruction-only with a small helper script included. Nothing is downloaded or extracted at install time, so install risk is low.
Credentials
At runtime the script and API docs require LINKFOXAGENT_API_KEY in the environment (used as an Authorization header). That single credential is proportionate to calling the external LinkFox API — but the registry metadata failing to declare it is a transparency issue and can lead to surprise when the skill requires a secret.
Persistence & Privilege
The skill does not request always:true or other elevated presence. It does not modify other skill configs. Normal autonomous invocation is allowed and appears appropriate for this integration.
What to consider before installing
What to check before installing: (1) The skill uses an external API at https://tool-gateway.linkfox.com and requires an API key via the environment variable LINKFOXAGENT_API_KEY, but the registry metadata omitted that requirement — expect to provide that secret. (2) Verify you trust the LinkFox endpoints (tool-gateway.linkfox.com and skill-api.linkfox.com) and the source of the API key; queries and returned data will be sent to that external service. (3) Prefer using a limited-scope or revocable API key rather than a long-lived global secret. (4) If you need stronger assurance, ask the publisher for a provenance/homepage and for the registry metadata to be corrected to declare required env vars. (5) Because the skill can be invoked autonomously, consider limiting where the API key is set (e.g., per-skill config or ephemeral token) and monitor usage for unexpected queries.

Like a lobster shell, security has layers — review code before you run it.

latestvk972tn8799dc7p2swxvk8wffc183ztnw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments