Skillv1.0.0

ClawScan security

Eureka Description Translated · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 17, 2026, 1:55 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's stated purpose (fetching translated patent descriptions from Eureka) matches its code, but the package metadata omits a required API key and thus the skill's declared requirements are inconsistent with what it actually needs to run.
Guidance: This skill appears to do what it says (fetch translated patent descriptions), but its metadata fails to declare that it requires an API key (LINKFOXAGENT_API_KEY). Before installing or enabling it: 1) ask the publisher to update the manifest to declare LINKFOXAGENT_API_KEY as a required credential so you know a secret will be used; 2) only provide an API key you trust and that has minimal scope; 3) verify the API endpoint (https://tool-gateway.linkfox.com) is legitimate for your organization; and 4) if you cannot confirm the publisher or the endpoint, avoid supplying sensitive credentials and do not enable autonomous invocation. If you proceed, consider running the included script manually first to confirm behavior and to see exactly what data is sent and returned.

Review Dimensions

Purpose & Capability: okThe name, description, SKILL.md, API reference, and script all consistently implement a tool to fetch translated patent description text from the Eureka endpoint (tool-gateway.linkfox.com). The allowed languages, identifier rules, and behavior (family fallback, batch queries) align with the stated purpose.
Instruction Scope: concernThe runtime instructions and API reference direct the agent to call an external HTTP API and to run the included script. The script reads an environment variable (LINKFOXAGENT_API_KEY) to set the Authorization header — but the skill's top-level metadata declared no required environment variables. SKILL.md and references/api.md do mention the API key, but the registry metadata does not; this mismatch means instructions access a credential not declared in the package manifest.
Install Mechanism: okThis is an instruction-only skill with an included helper script and no install spec. No third-party packages are downloaded and nothing is written to disk by an installer. Execution risk is limited to the provided script which makes outbound HTTPS calls.
Credentials: concernThe code and API documentation require a LINKFOXAGENT_API_KEY to authenticate requests to the LinkFox tool gateway, but the skill metadata lists no required environment variables or primary credential. Requiring an API key for the external service is reasonable for the stated purpose, but failing to declare it in the manifest is an incoherence and a practical risk (users may not realize they must provide a secret). No other unrelated credentials are requested.
Persistence & Privilege: okThe skill does not request persistent/always-on privileges, does not declare system config path access, and does not modify other skills. Autonomous invocation is enabled by default but is not combined with additional high privileges.