Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ruiguan Copyright
v1.0.0图片版权侵权检测与风险分析。当用户提到版权检测、版权核查、图片侵权检查、图片版权风险、版权相似度搜索、TRO风险分析、权利人查询、版权合规验证、copyright detection, image infringement, copyright risk, TRO risk, copyright lookup,...
⭐ 0· 54·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name, description, SKILL.md, API reference, and included Python script all consistently implement an image copyright detection workflow against the LinkFox tool-gateway API. That capability matches the stated purpose. However, the manifest metadata claims no required environment variables while the provided API reference and script require an API key (LINKFOXAGENT_API_KEY). The missing declaration is an inconsistency.
Instruction Scope
Runtime instructions focus on calling the LinkFox API with a public image URL and returning similarity / TRO / radar results; they do not instruct reading unrelated local files. The one scope issue: both references/api.md and scripts/ruiguan_copyright_detection.py require an Authorization API key from the environment, but SKILL.md/manifest do not list that env var as required.
Install Mechanism
This is instruction-only plus a small helper script; there is no install spec, no downloads, and no archive extraction. No elevated install risk detected.
Credentials
The code and API docs require an API key (LINKFOXAGENT_API_KEY) passed in the Authorization header to the external endpoint https://tool-gateway.linkfox.com. The skill metadata however lists no required env vars or primary credential. Requiring an API key for the external service is reasonable for the stated purpose, but omitting it from the declared requirements is a misalignment that could hide credential needs from users and reviewers.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and has no install-time persistence. It can be invoked autonomously by default (platform default), which is normal; no extra privileges were requested.
What to consider before installing
What to check before installing:
- Be aware the skill sends the image URL and parameters to an external service at tool-gateway.linkfox.com (and has a separate feedback endpoint at skill-api.linkfox.com). Any image URL you provide will be transmitted to that service — avoid private/internal URLs or images containing sensitive data.
- The included script and API docs require an environment variable LINKFOXAGENT_API_KEY (used in the Authorization header). The skill metadata does not declare this; confirm you trust the API provider and understand where to obtain/store the key before supplying it.
- Confirm the provider/domain (tool-gateway.linkfox.com) is legitimate for your organization and review their privacy/data-retention and legal terms if you will submit user images.
- If you need stronger assurance, ask the author for a homepage or publisher identity, request that the skill manifest be updated to declare LINKFOXAGENT_API_KEY in requires.env, and verify any service endpoints and credential issuance process.
Why I rated this suspicious: the implementation matches the claimed purpose, but the omission of the required API credential in the declared metadata is a non-trivial inconsistency that affects security review and user expectations. If the manifest explicitly declared the API key requirement and the provider identity were clear, this would likely be classified as benign. Additional information that would raise confidence: an explicit requires.env listing LINKFOXAGENT_API_KEY, a verified homepage or publisher, and documentation on data handling by the external API.Like a lobster shell, security has layers — review code before you run it.
latestvk9780j59tq6mzd4g4sgx7mfg8x84105n
License
MIT-0
Free to use, modify, and redistribute. No attribution required.