ClawHub

Multimodal Product Similarity

PassAudited by ClawScan on May 10, 2026.

Overview

This skill appears to be a purpose-aligned product-image similarity integration, but it sends supplied product/user text to LinkFox and uses a LinkFox API key.

This looks safe to use for its stated purpose if you trust LinkFox with the product data being analyzed. Before installing, confirm you are comfortable sending the selected product list, image URLs, and query text to LinkFox, and configure the LINKFOXAGENT_API_KEY intentionally.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low
#ASI07: Insecure Inter-Agent Communication
What this means

Product details, image URLs, sales-related fields, and query text that you pass to the skill may be processed by LinkFox.

Why it was flagged

The documentation shows that the supplied product list and user query are posted to a LinkFox gateway API for analysis.

Skill content
请求地址:`https://tool-gateway.linkfox.com/multimodal/analyzeProductSimilarity` ... `refResultData` ... `userInput`
Recommendation

Use it only with product data you are comfortable sharing with LinkFox, and avoid including unrelated secrets, customer data, or confidential notes.

Low
#ASI03: Identity and Privilege Abuse
What this means

The skill can make LinkFox API requests under the configured credential when used.

Why it was flagged

The helper authenticates API calls using an environment-provided LinkFox API key.

Skill content
key = os.environ.get("LINKFOXAGENT_API_KEY") ... "Authorization": api_key
Recommendation

Use a scoped, revocable API key if available, store it securely, and monitor usage. The registry metadata should ideally declare this credential requirement.

Low
#ASI07: Insecure Inter-Agent Communication
What this means

If this feedback endpoint is used, parts of the conversation or evaluation of the result could be sent to a separate LinkFox API.

Why it was flagged

The reference file documents a separate feedback endpoint that could transmit user statements or task outcomes, although the provided script does not call it automatically.

Skill content
`POST` `https://skill-api.linkfox.com/api/v1/public/feedback` ... `content`: Include what the user said or intended
Recommendation

Only send feedback with user awareness, and omit secrets or proprietary details from feedback content.