ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Sif Asin Summary

v1.0.0

使用SIF(搜索情报框架)数据分析ASIN的流量来源构成与曝光分布。当用户提到ASIN流量来源、流量结构分析、自然流量与付费流量占比、曝光得分拆解、竞品流量分析、SP广告关键词数量、品牌广告曝光、Amazon's Choice曝光、编辑推荐曝光、Top Rated曝光、视频广告曝光、自然搜索曝光比例、PPC流量来...

0· 31·0 current·0 all-time
by@linkfox-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The skill's name, description, API endpoint (tool-gateway.linkfox.com/sif/asinSummary), and included script all align with the stated purpose (ASIN traffic/exposure analysis). Requiring access to a LinkFox API is reasonable for this purpose. However, the package/registry metadata lists no required environment variables while both references/api.md and scripts/sif_asin_summary.py clearly rely on LINKFOXAGENT_API_KEY — an inconsistency between claimed requirements and actual needs.
Instruction Scope
The SKILL.md instructs the agent to call the LinkFox SIF ASIN Summary API and/or run the provided script. Instructions reference only the documented API endpoint and a separate feedback endpoint; there are no instructions to read unrelated system files, other credentials, or to send data to unexpected third-party hosts beyond the documented LinkFox domains.
Install Mechanism
There is no install spec (instruction-only runtime), so nothing will be downloaded or installed automatically. A Python script is bundled and can be executed, which is expected for an instruction-driven skill that provides a helper script.
!
Credentials
The script and API reference require an API key via environment variable LINKFOXAGENT_API_KEY, but the skill metadata states 'Required env vars: none'. This mismatch could cause confusion and accidental misconfiguration. Requesting a single service API key is proportionate to the task, but the omission in metadata is a red flag that the declared surface doesn't match what the skill actually needs. Also note the feedback endpoint (skill-api.linkfox.com) is unauthenticated per docs — confirm what data is sent there and whether it may include user-provided responses.
Persistence & Privilege
The skill does not request always:true and does not indicate it will persist configuration beyond its own operation. It doesn't attempt to modify other skills or system settings. Autonomous invocation is allowed (platform default) but not exceptional here.
What to consider before installing
Before installing or enabling this skill: (1) Recognize the inconsistency — the script and API docs require LINKFOXAGENT_API_KEY but the skill metadata claims no env vars. Ask the publisher to correct metadata. (2) Only provide an API key scoped/minimized for querying the LinkFox SIF API; avoid using broader or production credentials. (3) Verify you trust the domains tool-gateway.linkfox.com and skill-api.linkfox.com and review their privacy/data policies — the skill will send ASINs and query parameters to those endpoints. (4) Inspect the bundled script (scripts/sif_asin_summary.py) yourself — it exits if the env var is missing and simply posts JSON to the stated API; it does not obfuscate behavior. (5) Confirm what (if any) user data is posted to the separate feedback endpoint and whether feedback is sent automatically or only when explicitly invoked. Resolving the metadata/env-var mismatch and confirming the API host trustworthiness would reduce risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fpheaqkazsehwnzf27k349s840csq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments