Echotik New Product Rank

PassAudited by ClawScan on May 10, 2026.

Overview

The skill appears to do what it says—query a LinkFox/EchoTik TikTok product-ranking API—but users should notice its API-key requirement, limited provenance metadata, and optional feedback data flow.

This skill looks purpose-aligned and does not show hidden persistence, local data harvesting, or destructive actions. Before installing, confirm you trust the LinkFox/EchoTik provider, configure only the intended LINKFOXAGENT_API_KEY, and do not send sensitive information through the documented feedback endpoint unless you choose to.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Info

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Users have less publisher/source context to verify before trusting the skill.

Why it was flagged

The skill has limited provenance metadata. This is only a note because there is no install script, remote code download, or unexpected dependency shown.

Skill content

Source: unknown; Homepage: none

Recommendation

Verify that the publisher and LinkFox authorization page are expected before configuring or using the skill.

Low

#ASI03: Identity and Privilege Abuse

What this means

The skill will not work through the helper script unless a LinkFox API key is available, and that key is used with the external LinkFox service.

Why it was flagged

The helper script reads a LinkFox API key from the environment and sends it as the Authorization header to the LinkFox gateway. This is purpose-aligned, but the registry metadata declares no credential or required env var.

Skill content

key = os.environ.get("LINKFOXAGENT_API_KEY") ... "Authorization": api_key

Recommendation

Use a dedicated, least-privileged LinkFox API key if possible and avoid placing unrelated credentials in the environment.

Low

#ASI07: Insecure Inter-Agent Communication

What this means

If the feedback endpoint is used, user comments or task context may be transmitted to a separate LinkFox API.

Why it was flagged

The reference documents a separate feedback endpoint that could send user statements or intentions to LinkFox if used. The artifacts do not show automatic feedback submission.

Skill content

POST `https://skill-api.linkfox.com/api/v1/public/feedback` ... `content`: Include what the user said or intended

Recommendation

Only send feedback with user awareness, and avoid including sensitive business or personal details in feedback content.