Skillv1.0.0

ClawScan security

Sellersprite Traffic Keyword · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 3:33 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and docs clearly require an API key and call external LinkFox endpoints, but the published metadata omits the required credential and other declarations — the pieces are mostly coherent but there's a clear mismatch you should verify before installing.
Guidance: Before installing, confirm the missing metadata: the skill requires LINKFOXAGENT_API_KEY (used by the script and documented in SKILL.md) but the registry metadata does not declare this. Treat the API key as a secret — verify you trust the LinkFox endpoints (tool-gateway.linkfox.com and skill-api.linkfox.com) and the skill owner. Ask the publisher to update metadata to declare primaryEnv and required env var(s). If you proceed, run the skill in a restricted environment or with a scoped key, and review network activity to ensure requests go only to the documented endpoints. If you cannot verify the endpoint/operator, do not expose high-value credentials to this skill.

Review Dimensions

Purpose & Capability: concernThe skill's stated purpose (reverse ASIN traffic keywords) aligns with the included script and API references. However, the registry metadata claims no required environment variables or primary credential, while both SKILL.md, references/api.md, and scripts/sellersprite_traffic_keyword.py require an API key (LINKFOXAGENT_API_KEY). That metadata omission is an incoherence.
Instruction Scope: okSKILL.md and the script instruct only to call the documented LinkFox endpoints with the provided parameters and to report feedback to the Feedback API. The instructions do not request unrelated files, system state, or broad data collection beyond the ASIN query and feedback payloads.
Install Mechanism: okNo install spec is provided (instruction-only plus an optional runnable script). There is no remote download/install of arbitrary code; the included Python script is straightforward and uses standard libraries.
Credentials: concernFunctionality reasonably requires a single API key (LINKFOXAGENT_API_KEY) to authenticate to tool-gateway.linkfox.com. That is proportionate to the purpose, but the skill's declared requirements incorrectly list no env vars or primary credential, creating an inconsistency and a potential omission when granting permissions.
Persistence & Privilege: okThe skill does not request always:true and has no install-time behavior that modifies other skills or system-wide settings. Autonomous invocation is allowed (default) but not combined with other high-risk privileges.