ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Amazon Search By Image

v1.0.0

基于图片的亚马逊跨站点视觉商品搜索。当用户想通过图片URL在亚马逊上查找外观相似的商品、按外观搜索竞品、找同款或视觉相似商品、在亚马逊上以图搜图、通过照片识别商品、发现相同视觉设计的替代品、image search, Amazon visual search, find similar products, vis...

0· 42·0 current·0 all-time
by@linkfox-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The skill's name/description (Amazon image-based search) matches its behavior: SKILL.md, references/api.md, and the included script all call an external LinkFox tool gateway to perform image searches. However, the registry metadata lists no required environment variables or primary credential, yet the code and API docs clearly rely on an API key (LINKFOXAGENT_API_KEY). Also there is no homepage or clear publisher info (source unknown).
Instruction Scope
The instructions are narrowly scoped to submitting a user-provided image URL and parameters to the LinkFox API, rendering results, and handling errors. They do not instruct the agent to read unrelated local files or other credentials. Note: the tool will send user-supplied image URLs and search parameters to external endpoints (tool-gateway.linkfox.com and skill-api.linkfox.com for feedback).
Install Mechanism
No install spec; the skill is instruction-only with a small helper script included. There is no download-from-URL or package installation, and nothing is written to disk by an installer step beyond the provided files.
!
Credentials
The included script and API docs require LINKFOXAGENT_API_KEY (sent in the Authorization header). The registry metadata lists no required env vars or primary credential, which is inconsistent and could mislead users during setup. Also this skill transmits image URLs (which may be sensitive) to an external service — consider privacy implications before providing private images or URLs.
Persistence & Privilege
The skill does not request persistent presence (always:false), does not modify other skills or system configs, and declares no config paths. Autonomous invocation is allowed (platform default) but not combined with other special privileges.
What to consider before installing
This skill appears to be a thin wrapper around an external LinkFox image-search API and requires an API key (LINKFOXAGENT_API_KEY), but the package metadata did not declare that requirement and the publisher/homepage is missing. Before installing: 1) verify the publisher and the LinkFox API owner (tool-gateway.linkfox.com / skill-api.linkfox.com) and confirm you trust them; 2) do not supply private or sensitive image URLs unless you accept that they will be sent to that external service; 3) set the LINKFOXAGENT_API_KEY only if you obtained it from a trusted source, and treat it like any API secret (rotate/revoke if concerned); 4) request the skill author to update metadata to declare the required env var and provide a homepage/source for accountability. If you cannot verify the provider, avoid enabling the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97202hxfyyxegtx8v7bwvk7z583yc9f

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments