Skillv1.0.0

ClawScan security

FastMoss TikTok Product Search · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 17, 2026, 1:42 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's functionality (querying FastMoss via LinkFox gateway) is coherent, but the package omits a declared required credential and has no verified source/homepage — this mismatch and missing provenance are concerning.
Guidance: Key points to check before installing: (1) This package expects a LINKFOXAGENT_API_KEY (used in the included script and API docs) but the skill metadata does not declare it — ask the publisher to declare required env vars and explain the key's scope. (2) The skill posts queries to https://tool-gateway.linkfox.com/fastmoss/productSearch and may optionally post feedback to https://skill-api.linkfox.com; verify you trust those domains and the vendor (there is no homepage or verified owner). (3) Prefer issuing an API key scoped to this skill (or a temporary/test key) rather than reusing broad or production credentials. (4) Inspect and run the bundled script locally to confirm behavior; it exits if the key is missing and only sends requests to the documented endpoints. (5) If provenance is unclear (unknown source/owner), consider not providing real credentials or running inside a restricted environment until you can verify the publisher and privacy terms.

Review Dimensions

Purpose & Capability: noteThe name/description (TikTok product search via FastMoss) matches the code and API docs: the skill calls https://tool-gateway.linkfox.com/fastmoss/productSearch and returns product data. However, the skill metadata declares no required environment variables or primary credential while the included documentation and script require an API key (LINKFOXAGENT_API_KEY). This omission is an inconsistency that should be clarified.
Instruction Scope: okSKILL.md and references/api.md limit runtime actions to building a JSON request and POSTing it to the LinkFox tool-gateway API (and optionally a separate feedback endpoint). The instructions do not ask the agent to read unrelated system files or exfiltrate arbitrary data. They do instruct running the bundled Python script or performing curl requests.
Install Mechanism: okThere is no install spec (instruction-only with a small helper script). Nothing is downloaded or installed automatically, which reduces risk. The included Python script is simple and calls an external HTTPS API.
Credentials: concernThe skill requires an API key at runtime (LINKFOXAGENT_API_KEY) according to both references/api.md and scripts/fastmoss_product_search.py, but the skill metadata lists no required env vars or primary credential. Requiring an API key for the LinkFox gateway is reasonable for this purpose, but the missing declaration is a problematic mismatch and prevents proper permission review. Also note that the API key grants the skill the ability to query the external service — users should confirm what that key can do and avoid supplying broader credentials.
Persistence & Privilege: okThe skill does not request always:true, does not modify other skills or system-wide settings, and does not attempt to persist credentials on its own. Autonomous invocation is allowed (platform default) but not combined with other high privileges.