Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Sellersprite Competitor
v1.0.0使用卖家精灵数据在亚马逊上查找和分析竞品,覆盖12个站点,包含销量、BSR、定价、评分和增长趋势等商品指标。当用户提到竞品查询、竞品分析、ASIN反查、竞争商品研究、查找相似商品、市场竞品发现、商品对标、竞品销量估算、分析竞争Listing、competitor analysis, ASIN reverse lo...
⭐ 0· 39·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The SKILL.md, api.md, and the included Python script consistently describe calling LinkFox's SellerSprite competitor-lookup API and returning Amazon competitor metrics — this matches the skill name/description. However, the skill metadata declares no required environment variables or credentials while both references/api.md and scripts/sellersprite_competitor_lookup.py require an API key (LINKFOXAGENT_API_KEY). That omission is an incoherence between claimed requirements and actual runtime needs.
Instruction Scope
Runtime instructions and examples are narrowly focused on building requests to the external tool-gateway.linkfox.com API (and a separate feedback endpoint). The SKILL.md does not instruct the agent to read unrelated files, secrets, or system paths. The trigger rules are broad (activate when user intent is about competitor research) but within the described domain.
Install Mechanism
There is no install spec; this is an instruction-only skill with one small helper script. Nothing is downloaded or written to disk by the skill itself, which minimizes install-time risk.
Credentials
The skill requires an API key (LINKFOXAGENT_API_KEY) to call the LinkFox gateway as shown in api.md and enforced in the Python script, but the skill metadata lists no required env vars or primary credential. Requesting a single API key for the external service is proportionate to the described function, but the manifest omission is a significant inconsistency that could cause surprise or misconfiguration. Also there is no published homepage or provenance for the skill owner, so providing an API key to an unknown third party carries risk.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system settings. It runs as-needed and requires the API key only to contact the external API; no elevated or persistent platform privileges are requested.
What to consider before installing
This skill's code and docs show it calls an external LinkFox SellerSprite API and needs an API key (LINKFOXAGENT_API_KEY), but the skill manifest incorrectly states no env vars are required and there is no homepage or verified publisher. Before installing: 1) Confirm the provider (tool-gateway.linkfox.com / LinkFox) is trustworthy and that you expect to share an API key with them. 2) Do not reuse high-privilege keys—create a limited/test key if possible. 3) Ask the publisher to correct the manifest to declare LINKFOXAGENT_API_KEY as a required credential and to provide provenance/homepage. 4) If you cannot verify the service or publisher, avoid installing or restrict network access and test in a sandbox. The included Python script is short and readable (no obfuscation), so the primary concern is the missing manifest declaration and unknown origin rather than hidden code behavior.Like a lobster shell, security has layers — review code before you run it.
latestvk97f32jw7c4ps2gd72j00qjb0984079w
License
MIT-0
Free to use, modify, and redistribute. No attribution required.