Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ruiguan Graphic Trademark
v1.0.0产品图片的图形商标检测与相似度搜索。当用户提到商标检测、图形商标搜索、Logo侵权检查、商标相似度分析、图片商标风险评估、产品图片商标筛查、graphic trademark detection, logo infringement, trademark similarity, trademark risk, i...
⭐ 0· 39·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The SKILL.md, API reference, and included script all implement a graphic-trademark detection flow that matches the skill's stated purpose (YOLO detection + similarity search against trademark DBs). However, the registry metadata lists no required environment variables or primary credential even though the code and API docs require an API key (LINKFOXAGENT_API_KEY). Omitting this required credential from metadata is an incoherence that could mislead users.
Instruction Scope
Runtime instructions and the script direct the agent to send user-supplied images (imageUrl or base64) and optional product metadata to an external endpoint (https://tool-gateway.linkfox.com/ruiguan/trademarkGraphicDetection). Sending full images and titles to a third-party service is expected for this functionality but is a privacy/data-exfiltration risk that should be explicitly declared. The instructions also reference a separate feedback endpoint (skill-api.linkfox.com). The script expects an environment variable for auth that is not declared in the skill metadata, which is a scope mismatch.
Install Mechanism
No install spec is provided (instruction-only plus a small helper script), so nothing is automatically downloaded or executed beyond the included script. This is the lower-risk option for installation mechanics.
Credentials
The skill requires an API key (LINKFOXAGENT_API_KEY) per references/api.md and the included Python script, yet the registry metadata claims no required env vars or primary credential. Requiring an API key to call an external service is reasonable for the feature, but the missing declaration is a significant inconsistency. Users should treat that key as a secret and confirm how LinkFox stores or uses submitted images and metadata.
Persistence & Privilege
The skill does not request elevated or persistent privileges: always is false, it does not modify other skills or system settings, and it does not embed persistent autorun behavior. It simply invokes an external API at runtime.
What to consider before installing
This skill appears to implement the advertised trademark-image checks, but there are two things to be careful about: (1) the skill actually requires an API key (LINKFOXAGENT_API_KEY) even though the metadata doesn’t declare it—ask the publisher to update the metadata before installing; (2) using the skill sends your product images and optional product titles to https://tool-gateway.linkfox.com and a feedback endpoint, which may expose sensitive visuals or business data. Before enabling: verify LinkFox’s privacy and retention policies, only test with non-sensitive images first, store the API key as a least-privilege credential and rotate it if needed, and request clarification from the skill owner (owner ID present) about what data is logged/stored and how long it is retained. If you cannot verify those points, avoid sending private or customer images to the service.Like a lobster shell, security has layers — review code before you run it.
latestvk970zxh95gsdt6vhz8y36q9bdx841k84
License
MIT-0
Free to use, modify, and redistribute. No attribution required.