ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Jiimore Niche Info

v1.0.0

查询并分析极目数据的亚马逊细分市场洞察,包括市场指标、买家评论、竞争格局、价格走势和增长趋势。当用户提到细分市场分析、市场洞察、细分市场数据、市场竞争分析、品牌集中度、新品上架成功率、断货率、价格趋势、评论洞察、市场需求评分、niche market insights, market metrics, compe...

0· 57·0 current·0 all-time
by@linkfox-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The SKILL.md, reference doc, and included script all implement a single purpose: query Jiimore niche data from https://tool-gateway.linkfox.com/jiimore/getNicheInfo by nicheId. The code and docs are consistent with the stated capability (market insights for a single niche).
Instruction Scope
Runtime instructions and the script scope are narrow: accept a nicheId and optional countryCode, validate parameters, and POST to the documented Jiimore endpoint. The skill does not instruct reading unrelated files, scanning the system, or exfiltrating environment beyond the API key required for the service.
Install Mechanism
There is no install spec (instruction-only style) and the single Python script uses only standard libraries. No downloads or archive extraction are performed. This is low install risk.
!
Credentials
The code and API reference require an API key via environment variable LINKFOXAGENT_API_KEY, but the skill registry metadata declares no required environment variables or primary credential. That omission is an incoherence: the skill will not function without a secret, and the registry does not disclose or request it. Additionally, the required API key is a credential (Authorization header) and users should expect it to be declared explicitly.
Persistence & Privilege
The skill does not request always:on, does not modify other skills or system settings, and has no install steps that persist binaries. It runs a simple POST and prints results—no elevated persistence or privilege is requested.
What to consider before installing
This skill largely does what it claims (query Jiimore niche data), but note two issues before installing or using it: 1) Missing declared credential: The script and API docs require an API key in the environment variable LINKFOXAGENT_API_KEY, but the skill metadata does not list any required env vars. Ask the publisher or registry to update the skill metadata to explicitly declare this required API key (and any scopes/expiration). 2) Verify provenance before providing credentials: The skill points at tool-gateway.linkfox.com and a Feishu wiki for obtaining a key, but the package has no homepage and the publisher identity is only a registry owner ID. Confirm that LinkFox is a trusted provider for you and that the API key you obtain is intended for this use. Do not reuse high-privilege or long-lived credentials; prefer a scoped, revocable API key. 3) Operational check: If you proceed, test the skill in a controlled environment using a limited-scope or test key. Review network logs to confirm requests go only to the documented endpoints (tool-gateway.linkfox.com and the separate feedback endpoint) and that the skill does not transmit your system data. If the registry owner or homepage cannot be verified, treat the credential requirement as a red flag and avoid provisioning sensitive keys.

Like a lobster shell, security has layers — review code before you run it.

latestvk977wq25ejc6hjp96gaznkwgmh83zrx2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments