Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Amazon Search
v1.0.0模拟真实用户在亚马逊前台搜索,获取实时关键词排名和搜索结果页数据。当用户提到亚马逊商品搜索、搜索结果抓取、关键词在搜索页的排名、ASIN排名位置查询、竞品发现、搜索页价格对比、广告商品分析、新品监控、前台搜索模拟、Amazon search, keyword ranking, search results, AS...
⭐ 0· 43·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (Amazon search simulation) matches the implementation: SKILL.md, references/api.md, and scripts/amazon_search.py all call a LinkFox search API. However the skill metadata declares no required environment variables while the docs and script clearly rely on LINKFOXAGENT_API_KEY. The skill source/homepage is also missing, reducing traceability.
Instruction Scope
SKILL.md instructs the agent to call an external API gateway (tool-gateway.linkfox.com) and to run the included script. The frontmatter also defines very broad trigger rules (trigger any time user intent relates to front-end search/ranking), which can cause the agent to invoke this external service for many user messages. The instructions reference and require the LINKFOXAGENT_API_KEY (via references/api.md and the script), but that env var is not declared in the skill metadata — a scope/visibility mismatch that may prevent proper user consent or warning.
Install Mechanism
No install spec is provided (instruction-only with an optional helper script). Nothing is downloaded or written during install; the included python script simply issues HTTPS requests. This is low install risk.
Credentials
The code and API docs require an API key via environment variable LINKFOXAGENT_API_KEY, but the skill's declared requirements list no env vars and metadata does not surface this credential. Requesting an API key to call a third-party scraping/search gateway is reasonable for the stated purpose, but the omission from metadata is a transparency problem: users may not realize they must provide a key or where traffic/data is sent. Also the external endpoints (tool-gateway.linkfox.com and skill-api.linkfox.com) are third-party — users should confirm trust and data handling policies before providing credentials.
Persistence & Privilege
The skill does not request always:true and does not request elevated platform privileges. It is user-invocable and (by platform default) may be invoked autonomously; this is normal. The skill does not modify other skills or system-wide config.
What to consider before installing
This skill genuinely implements an Amazon front-end search simulation via a LinkFox API, but there are transparency issues you should resolve before installing. Things to consider: (1) The script and docs require an API key named LINKFOXAGENT_API_KEY, yet the skill metadata does not declare this — ask the publisher to add that to the metadata so you'll be prompted and can give informed consent. (2) Confirm the identity and reputation of the service operator (linkfox.com) and review their privacy/TOS: your queries (search keywords, delivery zips, resulting product data) will be sent to their API. (3) Prefer issuing a least-privilege key (revocable, limited scope/usage/quota) and test with non-sensitive queries first. (4) The skill's trigger rules are broad — if you don’t want it invoked automatically for any SERP-related question, ask for the trigger to be narrowed or for explicit user confirmation before calling the external API. (5) If you need stronger assurance, request the publisher provide a homepage/source repository and a privacy/security statement explaining what data is logged or retained by the LinkFox endpoints.Like a lobster shell, security has layers — review code before you run it.
latestvk97betyfmj87z5h32s6rjg4t8h83zqqx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.