Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Dld Product Billboard
v1.0.1查询1688商品热销榜单数据,用于货源发现和批发选品调研。当用户提到1688商品排行、1688热销榜、批发爆款商品、国内货源榜单、一件代发选品、1688趋势商品、批量采购热门品、供应商商品排名、1688 billboard, 1688 bestsellers, sourcing rankings, wholesa...
⭐ 0· 60·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's stated purpose (query 1688 bestseller/billboard data) matches the code and reference docs: the Python script POSTs parameters to a LinkFox tool-gateway API that returns 1688 ranking data. However, the registry metadata declared no required environment variables or primary credential while both the script and references clearly require LINKFOXAGENT_API_KEY; that omission is an incoherence.
Instruction Scope
The runtime instructions and code will transmit whatever query parameters the user provides to an external service (https://tool-gateway.linkfox.com/dld/productBillboard). SKILL.md also instructs the agent to trigger broadly on many keywords (including triggering when users don't explicitly say "1688榜单"), which could lead to unexpected outbound requests. The instructions and code read an environment API key not declared in the skill metadata and do not describe consent or data-handling policies.
Install Mechanism
No install spec — instruction-only + a small Python script using standard library urllib. Nothing is downloaded from arbitrary URLs and no binary installs occur.
Credentials
The code requires an API key in environment variable LINKFOXAGENT_API_KEY to call the LinkFox API, but the skill metadata lists no required env vars or primary credential. Requesting an API key for an external service is reasonable for this purpose, but the missing declaration is a notable mismatch and the environment secret will be sent as an Authorization header to a third party. Users should treat that key as sensitive and confirm the provider and scope before supplying it.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and contains no install-time persistence mechanisms. It only runs a request at invocation time.
What to consider before installing
This skill appears to be a thin client that forwards search parameters to LinkFox's product-billboard API and returns results — which is consistent with its purpose — but there are two issues you should consider before installing or providing credentials:
- The package metadata did NOT declare the required environment variable, yet the code reads LINKFOXAGENT_API_KEY and will send it as an Authorization header to https://tool-gateway.linkfox.com. Do not set that API key unless you trust the LinkFox service and understand what that key grants access to.
- The skill will transmit user-provided query parameters and any data included in requests to an external third-party endpoint. If the queries could include sensitive information (identifiers, proprietary product lists, supplier contacts), beware of exfiltration risk.
Recommended steps:
1) Ask the publisher to update the registry metadata to declare LINKFOXAGENT_API_KEY (and explain the key's scope) so the requirement is visible before install. 2) Verify the LinkFox endpoints and the Feishu wiki link in the script to ensure they are legitimate for your organization. 3) If you must test, run the Python script locally first with a throwaway key and inspect network traffic. 4) Avoid providing other unrelated secrets to this skill. If you cannot verify the provider or metadata, treat the skill as untrusted.Like a lobster shell, security has layers — review code before you run it.
latestvk973zee69dedrdfng9s59dsp0n83y72y
License
MIT-0
Free to use, modify, and redistribute. No attribution required.