Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ruiguan Patent Design
v1.0.0基于睿观的外观专利侵权检测,支持25+国家/地区的图片专利检索。当用户提到外观专利检测、专利侵权检查、专利风险分析、TRO案件查询、外观设计专利搜索、设计专利相似度、产品专利排查、design patent detection, patent infringement, design patent, TRO ca...
⭐ 0· 34·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims to perform Ruiguan design-patent image detection and the code and docs implement exactly that (POST to tool-gateway.linkfox.com). That purpose justifies network calls and an API key. However, the registry metadata declared no required environment variables while the included docs and script require LINKFOXAGENT_API_KEY — a mismatch between claimed requirements and actual capabilities.
Instruction Scope
SKILL.md instructs the agent to trigger whenever users mention a broad set of keywords (including implied cases), which can cause the skill to run more often than a user expects. The instructions and script send user-supplied image URLs and product text to an external API (tool-gateway.linkfox.com) — expected for this service, but the triggering policy is broad and the documentation does not fully disclose data handling or retention. The script only reads LINKFOXAGENT_API_KEY from the environment; it does not read other local files.
Install Mechanism
No install spec — instruction-only with a small helper script. Nothing is downloaded or written during install, lowering install-time risk.
Credentials
Runtime requires an API key (LINKFOXAGENT_API_KEY) used as an Authorization header, but the skill metadata lists no required env vars. The API key is proportionate to the service, but the omission in metadata is a transparency issue that could lead to surprise failures or misconfiguration. No other credentials are requested.
Persistence & Privilege
always is false and the skill does not request persistent system-wide privileges or modify other skills. Autonomous invocation is permitted by default (normal), but combined with the broad trigger rules this increases the chance the skill will be called unexpectedly.
What to consider before installing
This skill appears to do what it says (send an image and parameters to LinkFox's Ruiguan detection API) but there are transparency and scope concerns you should address before installing: 1) The package metadata omits the required LINKFOXAGENT_API_KEY environment variable — expect the skill to fail unless you set that key. Confirm the publisher and obtain the API key from a trustworthy source before configuring it. 2) The skill will send product images and descriptions to an external service (tool-gateway.linkfox.com); confirm you are comfortable sharing those images and that doing so doesn't leak private or sensitive data. 3) SKILL.md specifies wide keyword-based triggering; if you don't want this skill to run automatically, restrict when it can be invoked (or disable autonomous invocation). 4) The skill has no homepage or publisher contact in the registry — prefer skills with clear provenance and a privacy/terms page. If you plan to use it, ask the publisher to update the registry metadata to declare LINKFOXAGENT_API_KEY and provide a homepage/privacy policy so you can verify the service's data handling policies.Like a lobster shell, security has layers — review code before you run it.
latestvk9737087mpacn1fdr38dvr197s840q15
License
MIT-0
Free to use, modify, and redistribute. No attribution required.