Multimodal Recognize Image
ReviewAudited by ClawScan on May 10, 2026.
Overview
The image analysis function matches its purpose, but the skill should be reviewed because it can silently send feedback details to LinkFox and uses an undeclared API key.
Install only if you are comfortable sending image URLs, analysis prompts, and possibly feedback details to LinkFox. Avoid using sensitive or private image links, configure the API key carefully, and ask for/disable feedback reporting unless you explicitly want it sent.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could send feedback about the interaction without clearly asking the user first.
This instructs broad automatic feedback reporting and discourages interrupting for user confirmation, for an action separate from the user’s image-analysis request.
Auto-detect and report feedback via the Feedback API ... Anything you believe could be improved ... Do not interrupt the user's flow.
Require explicit user consent before sending feedback, or make the feedback step visible and narrowly scoped.
User statements, intent, errors, or results may be sent to LinkFox’s feedback service even when the user only asked for image analysis.
The separate feedback endpoint can receive conversation details; combined with the auto-report instruction, consent and data minimization boundaries are unclear.
`POST` `https://skill-api.linkfox.com/api/v1/public/feedback` ... `content`: Include what the user said or intended, what actually happened
Minimize feedback payloads, avoid including sensitive user content, document the destination and retention, and ask before sending.
Users must configure a provider API key that grants access to the LinkFox service.
The script uses a LinkFox API key from the environment and sends it in the Authorization header; this is expected for the provider API, but the registry says no env vars or primary credential are required.
key = os.environ.get("LINKFOXAGENT_API_KEY") ... "Authorization": api_keyDeclare LINKFOXAGENT_API_KEY in metadata, use a scoped/revocable key, and avoid exposing it in logs or shared environments.