ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Jiimore Niche By Keyword

v1.0.0

按关键词深度分析亚马逊细分市场,涵盖垄断程度、品牌集中度、新品成功率和市场机会评分。当用户提到细分市场分析、关键词市场调研、垄断评估、品牌集中度分析、新品成功率、市场需求评分、竞争格局、亚马逊子市场探索、niche market analysis, keyword market, monopoly level,...

0· 59·0 current·0 all-time
by@linkfox-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description (Amazon niche analysis by keyword) match the implementation: both the Python script and the API reference call https://tool-gateway.linkfox.com/jiimore/getNicheInfoByKeyword and return the niche metrics described. However, the published metadata lists no required environment variables or primary credential while the code and references explicitly require an API key (LINKFOXAGENT_API_KEY).
Instruction Scope
SKILL.md focuses on niche/keyword analysis, parameter validation, and instructs translating the keyword to the marketplace language before calling the API. It does not direct the agent to read unrelated files or secrets. It does, however, rely on calling an external service and suggests posting feedback to a separate endpoint (skill-api.linkfox.com).
Install Mechanism
No install spec is present (instruction-only skill with a small Python utility). That is low risk — nothing is downloaded from arbitrary URLs and no installers/extract steps are declared.
!
Credentials
Although registry metadata lists no required env vars, both references/api.md and scripts/jiimore_get_niche_info_by_keyword.py require LINKFOXAGENT_API_KEY (used in Authorization header). This is a secret (API key) and should have been declared as the primary credential. The mismatch is an incoherence that could mislead users about what secrets they must provide. No other excessive credentials are requested.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system settings, and will only call external APIs when invoked. Normal autonomous invocation is enabled (disable-model-invocation=false), which is platform-default and not by itself flagged.
What to consider before installing
This skill appears to do exactly what it says (fetch niche metrics from a LinkFox/Jiimore API) but its published metadata omits the fact that it requires an API key (LINKFOXAGENT_API_KEY). Before installing or enabling it: 1) Treat the API key as a secret — only provide it if you trust the LinkFox service and the skill owner. 2) Verify the service privacy/policy and what data (keywords, queries) will be logged or retained by https://tool-gateway.linkfox.com and https://skill-api.linkfox.com. 3) Because the skill source has no homepage and the owner is unknown, consider asking the publisher for provenance (official docs, company info) or using a scoped/test API key with limited permissions. 4) If you don't want your keywords sent to an external vendor, do not supply the API key. The main concrete problem here is a metadata mismatch (declared no env vars vs. code requiring LINKFOXAGENT_API_KEY), which is an indicator of sloppy packaging and justifies extra caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk9767vvk2r7qhw218vksyfcwdx83y7h8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments