Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Jiimore Niche Review
v1.0.0亚马逊细分市场评论分析与消费者情感洞察。当用户提到细分市场评论分析、消费者情感、用户痛点、客户反馈洞察、评论主题分析、好评差评拆解、细分市场舆情挖掘、产品评论情感分析、niche market reviews, consumer sentiment, customer pain points, review to...
⭐ 0· 40·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims to call the LinkFox Jiimore API to analyze Amazon niche reviews — which matches the included script and API reference. However, the skill metadata lists no required environment variables or runtime binaries, while the code clearly requires a LINKFOXAGENT_API_KEY environment variable and expects a Python 3 runtime. Those omissions are inconsistent with the stated purpose and suggest the manifest is incomplete.
Instruction Scope
SKILL.md and references/api.md instruct the agent to POST JSON to https://tool-gateway.linkfox.com/jiimore/getNicheReviewFromKeyword and optionally to a separate feedback endpoint at https://skill-api.linkfox.com/api/v1/public/feedback. The instructions otherwise stay within the described domain (keyword → niche review analysis). They do, however, rely on an environment API key (LINKFOXAGENT_API_KEY) that the manifest does not declare. There is no instruction to read unrelated local files or exfiltrate other credentials.
Install Mechanism
No install spec is provided (instruction-only), so nothing is downloaded or written by an installer. The package includes a Python script that will make network calls if executed; because there is no install step that fetches remote code, install-mechanism risk is low. Still, running the included script will perform outbound network requests to external endpoints.
Credentials
The code requires an API key via the LINKFOXAGENT_API_KEY environment variable (used as the Authorization header) but the skill metadata does not list any required env vars or a primary credential. That mismatch is concerning: the skill will fail without the key, and the user has no manifest-declared indication that a key is needed. No other unrelated credentials are requested.
Persistence & Privilege
The skill does not request persistent privileges, does not set always:true, and does not declare any config paths. Autonomous invocation is permitted (platform default) but is not combined with any elevated privileges or additional credential access in the manifest.
What to consider before installing
This skill appears to do what it claims (call the LinkFox Jiimore API to analyze Amazon niche reviews), but the manifest is incomplete. Before installing or enabling it: 1) confirm you trust the LinkFox endpoints (tool-gateway.linkfox.com and skill-api.linkfox.com) and the publisher; 2) expect to provide an API key via LINKFOXAGENT_API_KEY — the skill will exit if that env var is missing; 3) be aware the included Python script will make outbound requests when executed and requires a Python 3 runtime (the manifest does not declare this); 4) ask the publisher to update the skill metadata to explicitly declare required env vars and runtime/binaries, and provide a homepage or contact so you can verify the service and API key provisioning process. If you cannot verify the provider or do not want to supply an API key to this service, do not enable the skill.Like a lobster shell, security has layers — review code before you run it.
latestvk97cd3t7gvw2k9r5zzt51cg6yh83ynat
License
MIT-0
Free to use, modify, and redistribute. No attribution required.