ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Echotik New Product Rank

v1.0.1

通过EchoTik新品排行数据,发现TikTok Shop 16个区域市场的热门新品。当用户提到TikTok新品排行、TikTok热销商品、TikTok Shop爆品、短视频电商选品、TikTok新品发掘、跨境TikTok选品、TikTok new product rankings, TikTok bestsel...

0· 46·0 current·0 all-time
by@linkfox-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's purpose (query EchoTik new-product rankings) matches the included code and docs, but the registry metadata lists no required credentials while the script and API docs clearly require an API key (LINKFOXAGENT_API_KEY). That missing declaration is an incoherence between what the skill claims and what it actually needs.
Instruction Scope
SKILL.md and references/api.md confine runtime actions to calling the LinkFox tool-gateway API and optionally the Feedback API. Instructions do not request unrelated files, host system data, or broad context collection. However, the runtime guidance expects an environment-stored API key (documented in the script/docs) even though the registry metadata omitted it.
Install Mechanism
There is no install spec or remote download; the package contains a small Python script and docs. No archives or external installers are fetched, so install-time risk is low.
!
Credentials
The script requires a single API credential (LINKFOXAGENT_API_KEY) to authenticate requests to https://tool-gateway.linkfox.com, which is proportionate for an API caller. The problem is the skill registry declares no required env vars or primary credential — the absent declaration is a red flag because users won't be informed the skill needs a secret and where it will be used.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system settings, and has normal autonomous-invocation defaults. No elevated or permanent privileges are requested.
What to consider before installing
This skill appears to be a straightforward API client for EchoTik/LinkFox, but the included Python script expects an environment variable LINKFOXAGENT_API_KEY even though the registry metadata lists no required credentials. Before installing: (1) confirm the provider (tool-gateway.linkfox.com and skill-api.linkfox.com) are legitimate for your use; (2) ask the publisher or registry why LINKFOXAGENT_API_KEY is not declared and request an updated metadata entry that documents the required API key; (3) only provide a dedicated, least-privilege API key (not high-privilege or unrelated service credentials) and store it securely; (4) consider testing the skill in an isolated environment and monitor network requests to verify only expected data (date/region/page) are sent; (5) if you need stronger assurances, request provenance for the Feishu authorization link and confirm the key's intended scope and expiry/rotation policy.

Like a lobster shell, security has layers — review code before you run it.

latestvk9787c6v1b4h97tzhfegchp0kx83yzbm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments