ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ruiguan Utility Patent

v1.0.0

基于产品信息检测和搜索相似的实用新型/发明专利。当用户提到实用新型专利检测、专利侵权风险、专利相似度搜索、专利排查、发明专利查询、专利风险评估、TRO(临时限制令)风险分析、utility patent, invention patent detection, patent infringement risk,...

0· 32·0 current·0 all-time
by@linkfox-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name, description, SKILL.md, references/api.md, and the Python script all consistently implement a utility-patent similarity/search tool that calls a LinkFox API endpoint. The requested inputs (product title/description, region, topNumber) and outputs align with the stated purpose.
!
Instruction Scope
SKILL.md and references/api.md describe calling an external API and running the included script — which is appropriate — but the instructions rely on an environment API key (LINKFOXAGENT_API_KEY) that is not declared in the skill's registry metadata (required env vars = none). The agent instructions do not request unrelated system files, but they do instruct network calls to external endpoints; that is expected for this purpose.
Install Mechanism
No install spec (instruction-only plus a small Python helper). The script uses only standard Python libraries and makes HTTPS requests. There are no downloads from untrusted URLs, no extracted archives, and nothing writes installation artifacts to non-standard locations.
!
Credentials
The code and API reference require an API key via the environment variable LINKFOXAGENT_API_KEY. Requiring a single API key for the remote patent API is proportionate to the skill's function, but the skill's declared requirements do not list this env var — a metadata omission that can mislead users about what secrets are needed and sent to the external service.
Persistence & Privilege
The skill does not request persistent or elevated privileges (always is false, no system config paths, no modification of other skills). Autonomous invocation is allowed (default) but is not combined with other high-risk factors here.
What to consider before installing
This skill generally does what it says (calls LinkFox's patent-detection API), but it expects an API key in the environment (LINKFOXAGENT_API_KEY) even though the skill metadata doesn't declare that requirement. Before installing or using it: 1) Do not place any highly sensitive or private proprietary technical details in the productDescription unless you trust the LinkFox endpoint (tool-gateway.linkfox.com). 2) Verify where the API key comes from and whether it's tied to your account — avoid reusing high-privilege keys. 3) Ask the publisher to update the skill metadata to declare LINKFOXAGENT_API_KEY as a required env var and provide a privacy/data-handling policy that explains how submitted product descriptions and results are stored or logged. 4) If you need legal conclusions, consult a qualified patent attorney — the skill returns similarity data, not legal advice. If you cannot verify the endpoint or the publisher, treat the missing env-var declaration as a red flag and avoid providing secrets or confidential product details.

Like a lobster shell, security has layers — review code before you run it.

latestvk972mnasdf2npepn59e4h2vpqs840xzx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments