Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Multimodal Product Similarity
v1.0.0多模态产品图片相似度分析与分组。当用户提到产品图片相似度、视觉分组、查找外观相似的商品、基于图片去重、竞品同款检测、同款商品聚类、按外观分组、image similarity, product image comparison, visual clustering, same-style recognition,...
⭐ 0· 29·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md, references/api.md, and the included script all call https://tool-gateway.linkfox.com/multimodal/analyzeProductSimilarity to perform image-similarity grouping — that matches the skill's stated purpose. However, the skill registry metadata declares no required environment variables or primary credential even though the code and API docs clearly require an API key (LINKFOXAGENT_API_KEY). This mismatch is an incoherence that should be resolved before trusting the skill.
Instruction Scope
The runtime instructions and the script stay within the stated scope: they accept a preceding tool's product list (refResultData) and send it to the LinkFox tool gateway for analysis. The instructions do not request unrelated system files or broad context. They do call a separate feedback endpoint (skill-api.linkfox.com) for user feedback, which is documented separately in references/api.md.
Install Mechanism
There is no install spec (instruction-only), and the included Python script uses standard libraries to call the external API. Nothing is downloaded or extracted during install, so there is low disk-write/install risk.
Credentials
The code and API docs require a single API credential (LINKFOXAGENT_API_KEY) passed in the Authorization header — this is proportionate to calling an external API. The problem is the registry metadata did not declare this required env var or a primary credential, causing a mismatch between what the skill claims it needs and what it actually uses. Also note that any refResultData (product details and image URLs) will be transmitted to the external domain; ensure the API key and data-sharing policy are acceptable.
Persistence & Privilege
always is false and the skill does not request persistent system privileges or modify other skills. disable-model-invocation is default (agent may invoke autonomously), which is normal; there is no evidence the skill tries to persist credentials or change platform-wide settings.
What to consider before installing
Before installing, confirm the missing-but-required env var: the script and API docs require LINKFOXAGENT_API_KEY, yet the registry metadata lists none — ask the publisher to update the metadata. Review and trust the external endpoints (tool-gateway.linkfox.com and skill-api.linkfox.com); using the skill will send any product JSON and image URLs you pass (refResultData) to that service along with your API key in the Authorization header. If you will pass sensitive or private product data, verify LinkFox's privacy/security policies and the API key scope. Prefer setting the API key in a restricted environment variable, inspect the script locally if desired (it is small and readable), and consider disabling autonomous invocation or limiting the contexts where the skill may be called until the metadata inconsistency is resolved.Like a lobster shell, security has layers — review code before you run it.
latestvk979wp8ngfzygm1gcbnhhxykrs840rr0
License
MIT-0
Free to use, modify, and redistribute. No attribution required.