ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ruiguan Text Trademark

v1.0.0

面向电商产品Listing的文字商标检测与侵权风险分析。当用户提到商标检测、商标风险检查、品牌侵权筛查、产品标题商标扫描、文字商标查询、Listing合规检查、知识产权风险评估、text trademark detection, trademark infringement, brand infringement...

0· 38·0 current·0 all-time
by@linkfox-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description match the implementation: the skill scans product text against a trademark database via LinkFox's ruiguan/textTrademarkDetection API. The included script and API reference align with the declared purpose.
!
Instruction Scope
SKILL.md and references instruct the agent to call an external API and to run scripts/ruiguan_text_trademark_detection.py which POSTs productTitle/productText to https://tool-gateway.linkfox.com/ruiguan/textTrademarkDetection. That behavior is expected for this skill, but the instructions reference an environment variable (LINKFOXAGENT_API_KEY) used for Authorization even though the skill metadata did not declare it — this mismatch can lead to unexpected credential use or agent attempts to locate secrets.
Install Mechanism
There is no install spec (instruction-only with a small helper script). No third-party package downloads or archive extraction are performed. The script uses Python stdlib network calls; nothing is being written to disk beyond the included files.
!
Credentials
The script and API reference require an API key via the LINKFOXAGENT_API_KEY environment variable, but the skill metadata lists no required env vars or primary credential. Sending product titles/text to an external API requires an API key and transmits user data to a third-party host; the missing declaration is an important omission and reduces transparency about what secrets will be used/exposed.
Persistence & Privilege
always:false and no install-time privileged modifications are present. The skill does not request permanent presence or attempt to modify other skills or system settings.
What to consider before installing
This skill appears to do what it claims (send product title/text to LinkFox for trademark checking), but the package metadata fails to declare the required LINKFOXAGENT_API_KEY. Before installing: 1) Confirm you trust the external host (tool-gateway.linkfox.com / skill-api.linkfox.com) and the publisher; 2) Ask the publisher to update metadata to declare LINKFOXAGENT_API_KEY as a required credential (so you know a secret is needed); 3) Only provide an API key scoped/minimized for this use and avoid sharing higher-privilege keys; 4) Be aware that product titles/descriptions will be transmitted off your system — do not send sensitive PII or unreleased product data you cannot expose; 5) If you can't verify LinkFox's reputation, avoid installing or run the script in an isolated environment and monitor network traffic; rotate the key if you suspect misuse.

Like a lobster shell, security has layers — review code before you run it.

latestvk976as9maa0fy2eb07gxxnj6rh841ew6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments