ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Amazon Reviews

v1.0.0

按ASIN获取并分析亚马逊商品评论,支持14个站点按星级筛选评论。当用户提到亚马逊评论、商品评价、买家投诉、差评、好评、星级评分、评论分析、评论情感、产品改良建议、Vine评论、已验证购买评论、竞品评论研究、Amazon reviews, product feedback, negative review ana...

0· 43·0 current·0 all-time
by@linkfox-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose (fetch and analyze Amazon reviews) matches the code and docs which call an external LinkFox reviews API. However, the registry metadata lists no required environment variables or primary credential, while the included docs and script clearly require LINKFOXAGENT_API_KEY. That discrepancy is an incoherence between declared requirements and actual capabilities.
Instruction Scope
SKILL.md and references/api.md instruct the agent to call https://tool-gateway.linkfox.com/amazon/reviews/list (and provide a separate feedback endpoint) and to run the bundled Python script. They do not read local files or other unrelated credentials. The trigger rules in SKILL.md are broad (will activate for many user phrases), which could cause the agent to call the external API more often than expected.
Install Mechanism
There is no install spec (instruction-only skill plus a small helper script). No archives or remote installers are used. Risk from installation mechanism is low.
!
Credentials
The skill requires an API key (LINKFOXAGENT_API_KEY) to authenticate to the LinkFox gateway, but the registry metadata does not declare this environment variable or a primary credential. Requesting a single API key is proportional to the task, but the missing declaration is a packaging/information problem that could mislead users about what secrets the skill needs. Also note that user-provided review text and ASIN queries will be transmitted to the external service.
Persistence & Privilege
always is false and the skill does not request any elevated or persistent platform privileges. It does not modify other skills or global config.
What to consider before installing
This skill calls an external LinkFox API and requires an API key (LINKFOXAGENT_API_KEY) even though the registry metadata doesn't list it. Before installing, verify the LinkFox endpoints (tool-gateway.linkfox.com and skill-api.linkfox.com) and the publisher's trustworthiness; do not send sensitive or proprietary text through the skill unless you trust the service. If you proceed, set the API key in an isolated credential store and confirm the developer/publisher identity. The metadata omission is likely sloppy packaging but could also hide what secrets the skill needs—ask the provider to correct the declared requirements before wide deployment.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a25s3ae1xk4g9g0yqgksde983zfzq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments