ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Jiimore Product Discovery

v1.0.0

基于极目数据的亚马逊商品发掘与潜力爆品挖掘。当用户提到产品挖掘、潜力爆品、高转化选品、点击增长分析、市场增长机会、关键词选品、FBA利润筛选、细分市场商品发掘、卖家来源筛选、product mining, potential bestsellers, high-conversion product selecti...

0· 30·0 current·0 all-time
by@linkfox-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description (Amazon product mining via Jiimore/LinkFox) match the included API reference and the provided script: the skill's functionality (keyword-driven product discovery) is coherent with calling the jiimore/productDiscovery endpoint.
!
Instruction Scope
SKILL.md and references/api.md instruct the agent to POST to https://tool-gateway.linkfox.com/jiimore/productDiscovery and to send an Authorization header containing LINKFOXAGENT_API_KEY. The included script enforces presence of that env var. However the skill registry metadata declares no required env vars — the runtime instructions thus access an undeclared secret and an external endpoint, which is a scope mismatch that should be resolved before trusting the skill.
Install Mechanism
No install spec; the skill is instruction-only with a small helper script. No third-party package downloads or archive extraction are present, so install-time risk is low.
!
Credentials
Although the skill only needs one API key to call the external Jiimore API, the required environment variable (LINKFOXAGENT_API_KEY) is not declared in the skill metadata. The variable name is generic and could be used for other LinkFox/agent integrations — the omission prevents users from understanding credential scope and whether this key grants broader access elsewhere.
Persistence & Privilege
always is false and the skill does not request persistent/automatic installation privileges. It does not attempt to modify other skills or system-wide settings. Autonomous invocation remains allowed (platform default) but is not combined with other high-privilege behavior here.
What to consider before installing
This skill appears to perform the product-discovery function it claims, but it requires an API key (LINKFOXAGENT_API_KEY) to call an external LinkFox / Jiimore endpoint — that key is not declared in the registry metadata. Before installing or using: (1) confirm the skill publisher and verify the LinkFox domains (tool-gateway.linkfox.com and skill-api.linkfox.com) are legitimate for your organization; (2) require the publisher to update the skill metadata to declare LINKFOXAGENT_API_KEY so you know what secret the skill needs; (3) avoid re-using any high-privilege or long-lived API key — create a scoped, revocable key for this skill if possible; (4) review privacy/data policies: queries and returned product data are sent to an external service; do not include sensitive data in queries. If you cannot verify the publisher or the endpoint, treat the skill as risky and do not provide your API key.

Like a lobster shell, security has layers — review code before you run it.

latestvk9748skjhpce8dc2cwp3pn4zv5841vma

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments