Echotik Product Search

PassAudited by ClawScan on May 10, 2026.

Overview

This skill appears to be a coherent TikTok Shop product-search integration, but it sends queries and a LinkFox API key to LinkFox services and documents a separate feedback endpoint.

This skill looks safe for its stated purpose. Before using it, confirm you trust LinkFox with your product-search queries and API key, keep the key in an environment variable, and do not allow feedback submissions that include sensitive personal or business details unless you intend to share them.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI02: Tool Misuse and Exploitation

What this means

Your TikTok product queries and filters are sent to LinkFox’s gateway to retrieve results.

Why it was flagged

The helper posts user-supplied product-search parameters to LinkFox. This is expected for the stated product-search purpose, but users should know their search terms and filters leave the local environment.

Skill content

API_URL = "https://tool-gateway.linkfox.com/echotik/listProduct" ... Request(API_URL, data=data, headers={"Authorization": api_key, "Content-Type": "application/json"}, method="POST")

Recommendation

Use this only for queries you are comfortable sending to the LinkFox service, and avoid including unrelated private information in search terms.

Low

#ASI03: Identity and Privilege Abuse

What this means

The skill requires a LinkFox API key, and that key authorizes requests to the LinkFox tool gateway.

Why it was flagged

The skill uses an API key from the environment and sends it as an Authorization header. This is purpose-aligned for the LinkFox API, but it is a credential dependency users should notice.

Skill content

key = os.environ.get("LINKFOXAGENT_API_KEY") ... "Authorization": api_key

Recommendation

Store the API key securely as an environment variable, do not paste it into chat, and rotate or revoke it if it is exposed.

Low

#ASI07: Insecure Inter-Agent Communication

What this means

If used, feedback submissions could share details about what you asked for or intended with a separate LinkFox endpoint.

Why it was flagged

The reference documents a separate feedback endpoint that could send user feedback or conversation-derived content to LinkFox. No included code calls it automatically, but it is an additional data flow outside the main product-search API.

Skill content

POST `https://skill-api.linkfox.com/api/v1/public/feedback` ... `content`: Include what the user said or intended, what actually happened, and why it is a problem or praise

Recommendation

Only submit feedback with user awareness and avoid including sensitive business or personal information in feedback content.