ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ebay Search

v1.0.0

在多个eBay国际站点上搜索和浏览商品listing。当用户提到eBay商品搜索、eBay listing查询、eBay价格对比、eBay市场浏览、eBay已售商品、eBay拍卖搜索、eBay选品调研、eBay search, eBay products, eBay pricing, eBay competito...

0· 54·0 current·0 all-time
by@linkfox-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's claimed purpose (search eBay listings) matches the code and docs, which call an external eBay-search gateway. However the registry metadata lists no required environment variables or credentials while both references/api.md and scripts/ebay_search.py clearly require a LINKFOXAGENT_API_KEY. This mismatch is incoherent and should be clarified.
!
Instruction Scope
The SKILL.md and references instruct the agent to POST user query parameters to https://tool-gateway.linkfox.com/ebay/search and to supply an Authorization header taken from the LINKFOXAGENT_API_KEY environment variable. That means user queries (and any sensitive content included in them) will be transmitted to an external service. The instructions do not request or read other system files, and the Python script is straightforward and non-obfuscated, but the external-network behavior and the missing declaration of the required env var are concerning.
Install Mechanism
No install spec is present (instruction-only skill with an included Python helper). There is no download-from-URL or package-install step, and the included script is small and readable. This lowers install risk.
!
Credentials
Functionally the skill reasonably needs one API key to call the LinkFox gateway, but the skill registry metadata claims no required env vars while the code and docs require LINKFOXAGENT_API_KEY. Requiring an API key is proportional to the purpose, but the missing declaration and the fact the key authorizes an external service that will see query content are red flags.
Persistence & Privilege
The skill does not request persistent presence (always:false) and does not modify other skills or system configuration. It only makes outbound POST requests when invoked.
What to consider before installing
This skill will forward whatever you ask it to https://tool-gateway.linkfox.com/ebay/search and expects an API key in the LINKFOXAGENT_API_KEY environment variable, but the registry incorrectly lists no required env vars. Before installing or using it: (1) verify who operates tool-gateway.linkfox.com / LinkFox and whether you trust them to receive your queries; (2) do not send PII, secrets, or sensitive corporate data through the skill; (3) if you need to use it, prefer creating a scoped/test API key and review the provider's privacy/policy; (4) if you administer a fleet, require the publisher to correct the skill metadata to declare LINKFOXAGENT_API_KEY; (5) you can inspect and run the included scripts locally (they do a single POST) or route traffic through a proxy to confirm behavior. If you cannot verify the gateway operator, consider using official eBay APIs or a trusted integration instead.

Like a lobster shell, security has layers — review code before you run it.

latestvk977nsjgybt6jc9eexr4pb41v183z30j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments