Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Keepa Product History
v1.0.0查询亚马逊商品的历史时序数据,包括价格走势、BSR(畅销排名)趋势、评分变化、卖家数量和月销量,支持多个亚马逊站点的任意ASIN。当用户提到价格历史、价格追踪、BSR历史、BSR趋势、历史定价、价格波动、Keepa数据、排名历史、降价提醒、秒杀历史价格、Buy Box价格趋势、优惠券价格、FBA/FBM价格对比、...
⭐ 0· 36·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name/description match the behavior: the skill queries time-series product data (Keepa-style) via a LinkFox tool gateway. Using an API key to call an external gateway is expected for this purpose. However, the skill metadata claims 'Required env vars: none' while both references/api.md and scripts/keepa_product_history.py require LINKFOXAGENT_API_KEY — an omission in declared requirements.
Instruction Scope
SKILL.md and the included script only instruct calling the documented LinkFox endpoint(s) and formatting/returning the response. There are no instructions to read unrelated local files, credentials, or system state. The trigger rules are broad (many keywords) but that is an invocation policy, not an instruction to access extra data.
Install Mechanism
This is instruction-only with a small helper script; there is no install spec that downloads or extracts code from arbitrary URLs. No installers or third-party packages are pulled in by the skill bundle itself.
Credentials
The runtime requires a secret API key (LINKFOXAGENT_API_KEY) to authenticate to https://tool-gateway.linkfox.com, but the skill metadata does not declare any required env vars or a primary credential. Asking for an API key to call the external service is proportionate to the stated purpose, but failing to declare it in the skill manifest is an inconsistency that could hide credential requirements or mislead users about what will be accessed.
Persistence & Privilege
The skill does not request always:true and has no install-time mechanisms that persist beyond the skill's own files. It doesn't modify other skills or system-wide configs. Autonomous invocation is allowed (platform default) but is not combined with elevated privileges.
What to consider before installing
This skill appears to genuinely call a LinkFox gateway to return Amazon/Keepa-style time-series data, but take these precautions before installing or enabling it:
- The skill code and docs require an API key named LINKFOXAGENT_API_KEY, but the skill manifest claims no required env vars — ask the publisher to declare this in the manifest so you know what secrets are needed.
- Only provide an API key you trust and that is scoped/minimized for this purpose. Do not reuse high-privilege keys (AWS, personal tokens, or keys used by other services).
- Verify the endpoints and ownership: the tool gateway is https://tool-gateway.linkfox.com and feedback goes to https://skill-api.linkfox.com. Confirm these domains and the publisher are legitimate before sending sensitive data.
- Because the skill calls an external service, avoid sending any personally identifiable or sensitive information in ASIN-related requests unless you trust the backend.
- Prefer the author to add explicit manifest declarations (required env var and primary credential) and a homepage or publisher contact so you can verify provenance.
Given the missing metadata and external API usage, treat the skill as suspicious until those inconsistencies are resolved.Like a lobster shell, security has layers — review code before you run it.
latestvk97beqft1d2m9kw9z3y0mtzmxn841f4x
License
MIT-0
Free to use, modify, and redistribute. No attribution required.