Skillv1.0.0

ClawScan security

Ruiguan Copyright · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 1, 2026, 8:43 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to implement an image copyright-checking service that contacts an external LinkFox API, which is coherent with its description, but the package metadata fails to declare the required API credential and thus has an unexplained mismatch that users should review before installing.
Guidance: What to check before installing: - Be aware the skill sends the image URL and parameters to an external service at tool-gateway.linkfox.com (and has a separate feedback endpoint at skill-api.linkfox.com). Any image URL you provide will be transmitted to that service — avoid private/internal URLs or images containing sensitive data. - The included script and API docs require an environment variable LINKFOXAGENT_API_KEY (used in the Authorization header). The skill metadata does not declare this; confirm you trust the API provider and understand where to obtain/store the key before supplying it. - Confirm the provider/domain (tool-gateway.linkfox.com) is legitimate for your organization and review their privacy/data-retention and legal terms if you will submit user images. - If you need stronger assurance, ask the author for a homepage or publisher identity, request that the skill manifest be updated to declare LINKFOXAGENT_API_KEY in requires.env, and verify any service endpoints and credential issuance process. Why I rated this suspicious: the implementation matches the claimed purpose, but the omission of the required API credential in the declared metadata is a non-trivial inconsistency that affects security review and user expectations. If the manifest explicitly declared the API key requirement and the provider identity were clear, this would likely be classified as benign. Additional information that would raise confidence: an explicit requires.env listing LINKFOXAGENT_API_KEY, a verified homepage or publisher, and documentation on data handling by the external API.

Review Dimensions

Purpose & Capability: noteThe skill's name, description, SKILL.md, API reference, and included Python script all consistently implement an image copyright detection workflow against the LinkFox tool-gateway API. That capability matches the stated purpose. However, the manifest metadata claims no required environment variables while the provided API reference and script require an API key (LINKFOXAGENT_API_KEY). The missing declaration is an inconsistency.
Instruction Scope: noteRuntime instructions focus on calling the LinkFox API with a public image URL and returning similarity / TRO / radar results; they do not instruct reading unrelated local files. The one scope issue: both references/api.md and scripts/ruiguan_copyright_detection.py require an Authorization API key from the environment, but SKILL.md/manifest do not list that env var as required.
Install Mechanism: okThis is instruction-only plus a small helper script; there is no install spec, no downloads, and no archive extraction. No elevated install risk detected.
Credentials: concernThe code and API docs require an API key (LINKFOXAGENT_API_KEY) passed in the Authorization header to the external endpoint https://tool-gateway.linkfox.com. The skill metadata however lists no required env vars or primary credential. Requiring an API key for the external service is reasonable for the stated purpose, but omitting it from the declared requirements is a misalignment that could hide credential needs from users and reviewers.
Persistence & Privilege: okThe skill does not request always:true, does not modify other skills, and has no install-time persistence. It can be invoked autonomously by default (platform default), which is normal; no extra privileges were requested.