Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Keepa Product Search
v1.0.0基于Keepa数据的亚马逊高级商品搜索与筛选,支持品类、价格、月销量、关键词、BSR排名、评论数、评分、包装尺寸、重量、配送方式等多维度条件。当用户提到Keepa选品、亚马逊商品查找、高级选品、BSR筛选、按销售排名选品、月销量过滤、关键词选品、品类选品、竞品筛选、小众商品发掘、历史排名筛选、Keepa prod...
⭐ 0· 54·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The description promises 'Keepa data' search, but the implementation calls a third‑party endpoint (https://tool-gateway.linkfox.com/keepa/productSearch) rather than Keepa's official API and does not require or document a Keepa API key. Calling a proxy/gateway can be legitimate, but the registry metadata did not declare the LINKFOXAGENT_API_KEY environment variable that the code and API docs require, which is an incoherence between claimed purpose and declared requirements.
Instruction Scope
SKILL.md and references/api.md instruct the agent to send POST requests to the LinkFox tool gateway and to use an Authorization header read from environment variable LINKFOXAGENT_API_KEY. The included runtime script (scripts/keepa_product_search.py) enforces this. There are no instructions to read unrelated system files, but the skill will transmit user query parameters to an external third‑party endpoint, which is broader than some users might expect given the 'Keepa' branding.
Install Mechanism
There is no install spec (instruction-only skill) and no automated downloader; a small helper script is included but nothing is written to disk by an installer. This minimizes installation risk. The higher-level concern is about the external API endpoint used, not an installation mechanism.
Credentials
The code and API docs require one environment variable, LINKFOXAGENT_API_KEY, to authenticate to LinkFox's gateway. The registry metadata lists no required env vars — that's an inconsistency. Requiring a single API key is proportionate for a remote service, but the key is for a third party (linkfox), not Keepa; users may be surprised to give credentials to that service. No other credentials are requested.
Persistence & Privilege
The skill does not request persistent/always-on privileges (always: false), does not modify other skill configs, and has no install-time privilege escalation. Autonomous invocation remains possible (platform default) but is not additionally privileged by this skill.
What to consider before installing
Before installing: note that the skill does not call Keepa directly but forwards queries to a LinkFox gateway (https://tool-gateway.linkfox.com). The included Python script and API docs expect an environment variable LINKFOXAGENT_API_KEY (not listed in the registry metadata) — you would need to provide that key to let the skill call the third‑party service. Consider these precautions:
- Ask the publisher which backend is used and whether the gateway legally/securely accesses Keepa data. Request a public homepage, privacy policy, and provenance for the data.
- Do not reuse high‑privilege keys. If you test it, provide a limited-scope or revocable key for LINKFOXAGENT_API_KEY (or test in an isolated environment).
- If you expected the skill to use your own Keepa account, ask the author to clarify and, ideally, to support direct Keepa API integration instead of a third‑party proxy.
- Because the implementation and registry metadata disagree (script expects LINKFOXAGENT_API_KEY but registry lists none), ask the publisher to update the metadata to explicitly declare required env vars and document what the key grants.
Given these mismatches and the unknown owner/homepage, treat the skill as suspicious until the author clarifies data source, ownership, and the exact use of the LINKFOXAGENT_API_KEY.Like a lobster shell, security has layers — review code before you run it.
latestvk979bdb00d3zdxhr56015xwgf9840k33
License
MIT-0
Free to use, modify, and redistribute. No attribution required.