ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Google Trends Rising

v1.0.0

查询并分析Google Trends在指定时间范围和国家/地区的实时热门话题与热搜。当用户提到谷歌趋势、热门话题、实时热搜、流行趋势、当前热点、近期热门、病毒式话题、时间段热度、区域趋势分析、Google Trends, real-time hot topics, trending topics, popular...

0· 60·0 current·0 all-time
by@linkfox-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The skill's declared purpose (Google Trends time-range analysis) aligns with the included code and API docs. However, the skill metadata lists no required environment variables while both the script and the API reference require LINKFOXAGENT_API_KEY for Authorization — this is an inconsistency.
!
Instruction Scope
SKILL.md and references/api.md instruct the agent to call two external endpoints: the tool gateway (tool-gateway.linkfox.com) to fetch trend data and a separate feedback endpoint (skill-api.linkfox.com). The feedback API explicitly asks for content that may include what the user said/intended, which can transmit user input to an external service. Instructions otherwise stay within the stated purpose and do not reference unrelated files or system paths.
Install Mechanism
No install spec; this is instruction-only plus a small included script. No packages or external downloads are requested, which is low risk from an install perspective.
!
Credentials
The code expects a single API key in LINKFOXAGENT_API_KEY to authenticate requests to the LinkFox gateway. That single credential is proportionate to the skill's function, but the skill manifest/requirements did not declare it — a manifest omission that reduces transparency. Also, the feedback API could receive user-provided content; no credentials for it are declared (and none are shown), so feedback may be unauthenticated and could expose user input to LinkFox servers.
Persistence & Privilege
The skill is not marked 'always: true' and uses normal, user-invokable/autonomous invocation defaults. It does not request system-wide privileges or modify other skills. No persistence or elevated privileges are requested.
What to consider before installing
This skill genuinely queries a LinkFox Google Trends API, but the package metadata fails to declare the required LINKFOXAGENT_API_KEY environment variable that the included script and API docs expect — that's a transparency issue. Before installing or enabling it, confirm you trust the LinkFox domains (tool-gateway.linkfox.com and skill-api.linkfox.com) and the skill owner. Be aware the feedback API is instructed to accept content that may include user utterances; that will send user-provided text to an external service. If you plan to use this skill, (1) set a dedicated, least-privileged API key in LINKFOXAGENT_API_KEY; (2) avoid sending sensitive or private user data through it; (3) ask the publisher to update the manifest to explicitly list the required env var and clarify how feedback is handled; and (4) consider testing with non-sensitive queries first. If you cannot verify the service owner or do not consent to external transmission of user input, do not enable the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk974q52a229z5zx0bfm50bza5n83zb93

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments