Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Amazon Product Detail
v1.0.0通过ASIN获取亚马逊商品详细信息,包括标题、图片、五点描述、规格参数、A+页面、价格、评分评论、变体等。当用户提到亚马逊商品详情、ASIN查询、商品页面数据、Listing分析、五点描述提取、商品图片获取、变体查看、竞品Listing研究、价格查询、评论拆解、商品规格查询、Amazon product deta...
⭐ 0· 40·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's stated purpose (lookup Amazon product details by ASIN) matches its actions: SKILL.md, references/api.md, and the included script all call an external LinkFox API to retrieve structured product data. However, the registry metadata lists no required environment variables while the code and API docs clearly require an API key (LINKFOXAGENT_API_KEY). That metadata omission is inconsistent and should be corrected.
Instruction Scope
The runtime instructions and script are narrowly scoped: they build a JSON request and POST it to https://tool-gateway.linkfox.com/amazon/product/detail and optionally call a separate feedback endpoint. The skill does not instruct reading arbitrary local files, system secrets, or unrelated configuration paths. All data sent (ASINs, optional deliveryZip, device, flags) is relevant to the stated purpose.
Install Mechanism
There is no install spec (instruction-only) and the included Python script is small and straightforward. Nothing is downloaded from untrusted URLs during install. The primary risk comes from runtime network calls to an external API, which is expected for this service.
Credentials
The code and API documentation require an API key in the environment variable LINKFOXAGENT_API_KEY to authenticate requests to the LinkFox gateway. The skill package metadata, however, declares no required env vars. That mismatch is problematic: it obscures the need to provide a credential, and users may not realize they must supply a secret which will be sent in Authorization headers to an external domain. Apart from that single API key, no other credentials are requested and the scope of required secrets is proportional to the service.
Persistence & Privilege
The skill does not request permanent system presence (always: false), does not modify other skills or system-wide settings, and contains no installation steps that persist beyond the included files. Autonomous invocation is allowed (platform default) but is not combined with other high privileges.
What to consider before installing
This skill does what it says (fetches Amazon listing details) and uses an external LinkFox API to do so. Before installing or using it:
- Be aware it requires an API key (LINKFOXAGENT_API_KEY) even though the registry metadata did not declare that — supplying this key sends it in the Authorization header to https://tool-gateway.linkfox.com. Only provide the key if you trust LinkFox and the endpoint.
- The skill will transmit ASINs and optional fields (e.g., delivery ZIP) to the external service; do not send any sensitive PII or secrets as query parameters.
- Confirm billing/cost implications (the SKILL.md notes per‑ASIN billing) so you don't accidentally incur charges with large batches.
- Ask the publisher to update the skill metadata to declare the required environment variable and to document privacy/retention of submitted data.
- If you need higher assurance, inspect the operator (LinkFox) and the Feishu doc linked in the files to verify legitimacy, or run requests through an account you control that limits permissions.
Given the single clear inconsistency (undeclared required env var) but otherwise coherent behavior, treat this as suspicious rather than outright malicious.Like a lobster shell, security has layers — review code before you run it.
latestvk97c4k8dgt69rr8dpx2ph7vsv583y110
License
MIT-0
Free to use, modify, and redistribute. No attribution required.