ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Dld Product Search

v1.0.1

在中国1688批发平台(阿里巴巴国内B2B市场)上搜索和分析商品,用于找货源、供应商发现和选品。当用户提到1688商品搜索、1688找货源、在1688上找供应商、批发商品查询、工厂货源、一件代发供应商搜索、1688关键词选品、批发价格对比、按销量筛选、任何1688平台上的选品调研、1688 search, 168...

0· 84·0 current·0 all-time
by@linkfox-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The code and docs implement a 1688 product-search via DianLeiDa/LinkFox (POST to https://tool-gateway.linkfox.com/dld/productSearch), which matches the skill's stated purpose. However, the skill metadata declares no required environment variables or primary credential even though the script and API docs require LINKFOXAGENT_API_KEY for Authorization. The missing declaration is an incoherence and raises a provenance/permissions concern.
Instruction Scope
SKILL.md and references/api.md are focused on search parameters and API usage and do not ask the agent to read unrelated system files. One operational note: the skill's frontmatter instructs the agent to trigger broadly whenever user intent involves sourcing from domestic Chinese marketplaces (even if '1688' isn't mentioned), which may cause the skill to activate more often than expected and send user queries to the remote API.
Install Mechanism
This is an instruction-only skill with a small helper script; there is no install spec, no downloads, and no packages being installed. The script only performs an HTTPS POST and prints results — no arbitrary extract/install behavior detected.
!
Credentials
The runtime script requires an API key via the environment variable LINKFOXAGENT_API_KEY (and instructs users how to obtain/set it), but the skill's declared requirements list no environment variables or primary credential. That mismatch is disproportionate and opaque. Additionally, user search terms, product URLs, and other query parameters will be transmitted to tool-gateway.linkfox.com, so the API key and query data are sensitive and should be justified and scoped.
Persistence & Privilege
The skill does not request 'always: true', does not modify other skills or system config, and uses no elevated privileges. Autonomous invocation is enabled by default but is not combined with other high-privilege requests.
What to consider before installing
What to consider before installing: - The code will send user-provided search terms/product URLs to https://tool-gateway.linkfox.com and requires an API key in the LINKFOXAGENT_API_KEY environment variable — confirm you are comfortable sending that data to this domain and that the API key's permissions are appropriate. - The skill metadata does NOT declare the LINKFOXAGENT_API_KEY requirement; ask the publisher to correct the metadata so required credentials are explicit. - The package has no homepage and owner identity is unknown; verify the publisher (owner ID) and trustworthiness of LinkFox and the Feishu wiki referenced in the script before providing credentials. - Because the skill triggers broadly for any domestic-sourcing intent, consider whether it will run in situations where you don't want queries sent externally; if necessary, restrict automatic triggering or require explicit user confirmation before calling the external API. - If you proceed: test in a controlled environment, use a scoped/rotatable API key, and monitor API usage. If you cannot verify the endpoint/publisher, avoid supplying a production API key.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ccdxy8vpc54b652jcbjyw0h83ypez

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments