ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Sellersprite Product Search

v1.0.0

使用卖家精灵数据搜索和筛选亚马逊商品,支持价格、月销量、BSR排名、毛利率、评分、配送方式、标签、卖家来源等多维度条件,覆盖多个亚马逊站点。当用户提到亚马逊选品调研、产品筛选、销量过滤、产品发掘、BSR分析、小众商品发现、竞品分析、市场机会评估、按商品维度的市场规模估算、毛利率筛选、SellerSprite pr...

0· 40·0 current·0 all-time
by@linkfox-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md and the included Python script both call the SellerSprite productSearch API at https://tool-gateway.linkfox.com and require an API key (LINKFOXAGENT_API_KEY). That capability aligns with the skill's stated purpose (Amazon product search). However, the registry metadata lists no required environment variables or primary credential, which contradicts the code and API docs. The skill source/homepage is also missing, reducing traceability.
Instruction Scope
Runtime instructions and the script are narrowly scoped to building a JSON request and POSTing it to the documented SellerSprite API, then formatting results. The SKILL.md also indicates the skill should auto-trigger for broad product-research intents (may be over-broad but not in itself malicious). The instructions do not attempt to read other system files or unrelated env vars.
Install Mechanism
This is an instruction-only skill with a small helper script; there is no install spec, no downloaded artifacts, and no obfuscated code. The included Python script uses standard library modules and performs a single network request.
!
Credentials
The script and API docs require a single API key via the environment variable LINKFOXAGENT_API_KEY — that is plausible and proportionate for calling a third‑party web API. However, the registry metadata does not declare this required env var (or any primary credential), which is an incoherence that could hide unexpected credential usage. The skill also documents an additional feedback endpoint (skill-api.linkfox.com) which is separate but not unusual; confirm whether feedback calls will be made automatically.
Persistence & Privilege
The skill does not request persistent 'always' inclusion and there is no indication it modifies other skills or global agent configuration. It only performs outbound HTTP requests when invoked.
What to consider before installing
Before installing, confirm the missing declaration of the required API key: the included script and docs expect LINKFOXAGENT_API_KEY but the registry metadata lists no required env vars. Verify you trust the endpoints (tool-gateway.linkfox.com and skill-api.linkfox.com) and the skill owner (no homepage provided). Ask the publisher to: (1) update the registry metadata to declare LINKFOXAGENT_API_KEY as a required credential, (2) provide a homepage or publisher identity, and (3) clarify whether any feedback or telemetry is sent automatically. If you proceed, only supply an API key with scoped permissions you trust and monitor network usage; do not reuse high‑privilege secrets.

Like a lobster shell, security has layers — review code before you run it.

latestvk970jahsk1t1ras17k9vj2rbb9841455

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments