ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Echotik Product Search

v1.0.3

搜索和分析TikTok商品数据,包括销量、达人带货数据、定价和佣金比例,覆盖16个TikTok Shop站点。当用户提到TikTok商品搜索、TikTok Shop商品分析、TikTok销量数据、达人带货销售、TikTok选品、TikTok佣金比例、TikTok商品排名、EchoTik数据查询、TikTok pr...

0· 56·0 current·0 all-time
by@linkfox-ai·duplicate of @linkfox-ai/echotik-product-search
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name, description, API endpoint (tool-gateway.linkfox.com), examples, and included script all align with a TikTok Shop product-search capability. The included Python script calls the listed API and the reference doc documents the same parameters and response fields.
Instruction Scope
SKILL.md instructs the agent to call the LinkFox tool gateway API and/or run the provided script with JSON parameters — that stays within the stated purpose. One design choice to note: the skill should auto-trigger for a broad set of phrases (including cases where 'TikTok' isn't explicitly mentioned), which may cause over-triggering in ambiguous conversations.
Install Mechanism
There is no install spec (instruction-only behavior) and the included script is standalone Python that requires no installation. This is low-risk compared to remote download/install flows.
!
Credentials
The skill's runtime files (scripts/echotik_list_product.py) and references clearly require an API key from the environment variable LINKFOXAGENT_API_KEY, but the registry metadata lists no required environment variables or primary credential. The skill will fail without that key, and the missing declaration is an incoherence that could hide credential requirements from users. The API key is sent in an Authorization header to https://tool-gateway.linkfox.com; no other credentials are requested.
Persistence & Privilege
always:false and there's no install-time persistent modification. The skill can be invoked autonomously (disable-model-invocation:false) which is platform default; this increases blast radius if you supply credentials, but by itself is not an unusual setting.
What to consider before installing
Key things to check before installing: - The skill's code and docs require an environment variable LINKFOXAGENT_API_KEY (used as Authorization) but the registry metadata does not declare this — expect to need that API key. Confirm where that key comes from and whether you trust the provider. - The skill calls https://tool-gateway.linkfox.com (primary data flow) and references a Feishu wiki URL for obtaining the key (yxgb3sicy7.feishu.cn). Verify both endpoints and the publisher identity before providing credentials. - Because the skill can be invoked autonomously, do not supply long-lived or highly privileged credentials unless you trust the service. Prefer scoped/ephemeral keys and monitor usage. - The skill is designed to auto-trigger on many phrases (including vague ones), which may cause unexpected activations. If you want tighter control, avoid enabling autonomous invocation or restrict triggers. - If you need to proceed, request the publisher to update the registry metadata to explicitly list LINKFOXAGENT_API_KEY as a required environment variable and to provide clear documentation about what permissions that key grants and where it is stored or logged.

Like a lobster shell, security has layers — review code before you run it.

latestvk976evwgxx6rn0f3rjgggcbzn983zkga

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments