ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Multimodal Recognize Image

v1.0.0

基于多模态AI的图片识别与分析。当用户想分析、描述、从图片URL中提取信息、image recognition, image analysis, image description, image content understanding, OCR text recognition, visual Q&A时触发此...

0· 41·0 current·0 all-time
by@linkfox-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description align with the behavior: the script and SKILL.md call a LinkFox multimodal image-recognition API and expect image URLs for analysis. However, the registry metadata lists no required environment variables while the API reference and the provided script clearly require an API key (LINKFOXAGENT_API_KEY). This omission is an inconsistency (likely sloppy but important).
Instruction Scope
Runtime instructions are narrowly scoped to: accept a public image URL + optional requirement, call the LinkFox tool gateway API, and present the returned text. They explicitly say not to handle local files. One additional behavior to note: the SKILL.md instructs the agent to auto-send feedback to a separate Feedback API endpoint under certain conditions, which could transmit user content or metadata to another external service. The instructions do not request unrelated system files or other credentials.
Install Mechanism
No install spec; this is instruction-only with a small helper script included. Nothing is downloaded from arbitrary URLs or installed to the system.
!
Credentials
The only credential the tool actually needs is LINKFOXAGENT_API_KEY (used for Authorization to https://tool-gateway.linkfox.com). That credential is proportionate to the described purpose, but the registry metadata incorrectly lists 'none' for required environment variables. This mismatch is important because users won't be warned up-front that an API key will be requested or used. Also the Feedback API is a separate endpoint (skill-api.linkfox.com) with no auth described — it's unclear what is sent and who can access feedback data.
Persistence & Privilege
The skill does not request persistent or elevated privileges (always:false). It does not attempt to modify other skills or system settings and has no install-time setup that would add persistent agents.
What to consider before installing
Before installing, be aware that this skill will send any provided image URLs and the user’s analysis request to external LinkFox endpoints (tool-gateway.linkfox.com and skill-api.linkfox.com). The skill’s code and API docs require an API key held in LINKFOXAGENT_API_KEY, but the registry metadata incorrectly says no env vars are required — ask the publisher to correct that. Don’t provide private or sensitive images unless you trust LinkFox and have reviewed their privacy/security policies. Also confirm what the Feedback API sends (and whether it requires authentication). If you proceed, set the API key in a restricted environment variable, and consider monitoring outbound requests to verify behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk972wrcf40rrqg73kr49834mj98410c5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments