Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Sif Asin Keywords
v1.0.0使用SIF数据反查任意亚马逊ASIN的流量关键词,包括自然排名、广告排名、搜索量、流量占比和转化标记。当用户提到ASIN关键词分析、ASIN反查、流量关键词研究、自然排名查询、广告排名查询、关键词位置追踪、SIF关键词数据、竞品关键词窥探、查看哪些关键词为产品带来流量、分析特定ASIN的关键词表现、ASIN re...
⭐ 0· 35·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (reverse ASIN keyword lookup using SIF data) aligns with the code and API references: the script and docs call the LinkFox tool gateway endpoint to fetch ASIN keyword data. The functionality requested (querying an external LinkFox API) is consistent with the stated purpose.
Instruction Scope
The SKILL.md and references/api.md instruct the agent to call https://tool-gateway.linkfox.com/sif/asinKeywords and to run scripts/sif_asin_keywords.py. Those runtime instructions also rely on an environment variable (LINKFOXAGENT_API_KEY) for Authorization. However, the skill metadata did not declare this required env var. The docs also describe a separate feedback endpoint (https://skill-api.linkfox.com/api/v1/public/feedback) that, if used, would send user-provided text to a different host — confirm whether/when feedback is sent and whether it includes user data.
Install Mechanism
Instruction-only install (no install spec) and an included Python script — nothing is downloaded from untrusted URLs. No package manager installs or archive extraction. This is lower-risk from an install mechanism perspective.
Credentials
The code and API reference require an API key read from LINKFOXAGENT_API_KEY, but the skill metadata lists no required env vars or primary credential. The single API key is proportionate to the purpose, but its omission from declared requirements is an inconsistency that should be fixed. Also confirm the API key's scope and lifetime — it grants the skill network access to an external service and could be abused if leaked.
Persistence & Privilege
The skill does not request always: true and does not appear to modify other skills or system-wide settings. It runs on-demand and prints responses; no persistent privileges were requested.
What to consider before installing
Key issues to check before installing:
- The skill uses an API key (LINKFOXAGENT_API_KEY) but the skill metadata does not declare it; ask the publisher to declare required env vars and provide guidance on obtaining and scoping the key.
- Verify you trust the endpoints: tool-gateway.linkfox.com (primary API) and skill-api.linkfox.com (feedback). Confirm privacy: ASINs, keywords, and any user messages will be sent to those remote hosts.
- Confirm the API key's permissions, expiration, and whether it can be scoped or revoked. Prefer using a dedicated, minimal-scope key for this skill.
- Because the skill executes a Python script that makes outbound HTTP requests, run it in a sandbox or review the script locally if you are cautious.
- Ask the publisher to remove or clearly document the feedback endpoint usage and whether feedback is sent automatically or only when the user explicitly triggers it.
If you cannot verify the key source or the endpoints' trustworthiness, treat the skill as untrusted. If you proceed, set the API key in a restricted environment (not a shared/system-wide secret) and monitor network activity.Like a lobster shell, security has layers — review code before you run it.
latestvk976cv5j7kee2bsapsq449tk99840y6m
License
MIT-0
Free to use, modify, and redistribute. No attribution required.