Back to skill
Skillv1.0.0
ClawScan security
Ebay Search · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 31, 2026, 4:48 AM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill appears to do what it says (search eBay) but its metadata omits a required API credential and it sends queries to an external LinkFox gateway, so you should verify the external service and be cautious about what data you send.
- Guidance
- This skill will forward whatever you ask it to https://tool-gateway.linkfox.com/ebay/search and expects an API key in the LINKFOXAGENT_API_KEY environment variable, but the registry incorrectly lists no required env vars. Before installing or using it: (1) verify who operates tool-gateway.linkfox.com / LinkFox and whether you trust them to receive your queries; (2) do not send PII, secrets, or sensitive corporate data through the skill; (3) if you need to use it, prefer creating a scoped/test API key and review the provider's privacy/policy; (4) if you administer a fleet, require the publisher to correct the skill metadata to declare LINKFOXAGENT_API_KEY; (5) you can inspect and run the included scripts locally (they do a single POST) or route traffic through a proxy to confirm behavior. If you cannot verify the gateway operator, consider using official eBay APIs or a trusted integration instead.
Review Dimensions
- Purpose & Capability
- concernThe skill's claimed purpose (search eBay listings) matches the code and docs, which call an external eBay-search gateway. However the registry metadata lists no required environment variables or credentials while both references/api.md and scripts/ebay_search.py clearly require a LINKFOXAGENT_API_KEY. This mismatch is incoherent and should be clarified.
- Instruction Scope
- concernThe SKILL.md and references instruct the agent to POST user query parameters to https://tool-gateway.linkfox.com/ebay/search and to supply an Authorization header taken from the LINKFOXAGENT_API_KEY environment variable. That means user queries (and any sensitive content included in them) will be transmitted to an external service. The instructions do not request or read other system files, and the Python script is straightforward and non-obfuscated, but the external-network behavior and the missing declaration of the required env var are concerning.
- Install Mechanism
- okNo install spec is present (instruction-only skill with an included Python helper). There is no download-from-URL or package-install step, and the included script is small and readable. This lowers install risk.
- Credentials
- concernFunctionally the skill reasonably needs one API key to call the LinkFox gateway, but the skill registry metadata claims no required env vars while the code and docs require LINKFOXAGENT_API_KEY. Requiring an API key is proportional to the purpose, but the missing declaration and the fact the key authorizes an external service that will see query content are red flags.
- Persistence & Privilege
- okThe skill does not request persistent presence (always:false) and does not modify other skills or system configuration. It only makes outbound POST requests when invoked.