Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Sif Keyword Overview
v1.0.0亚马逊市场关键词竞争度的SIF概览分析。当用户提到关键词竞争度、供需比、竞品数量、关键词搜索量估算、市场竞争力评估、关键词热度排名、广告竞争分析、某个关键词下的商品数量、keyword competition, supply-demand ratio, competitor count, search popul...
⭐ 0· 33·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, description, SKILL.md, references/api.md, and the Python script all align: the skill queries a LinkFox 'sif/keywordOverview' endpoint to return keyword competition metrics for Amazon marketplaces. The supported marketplaces and data fields match the stated purpose.
Instruction Scope
SKILL.md and the Python script confine behavior to preparing a JSON request and POSTing it to the documented API. The instructions do not ask the agent to read unrelated system files or transmit unrelated data. They do recommend translating keywords to the marketplace language before querying, which is reasonable for the purpose.
Install Mechanism
There is no install specification and no remote downloads; this is effectively an instruction-only skill with a small included script. Nothing in the files would write or fetch arbitrary code during install.
Credentials
The Python script and references/api.md require an API key via the environment variable LINKFOXAGENT_API_KEY, but the registry metadata lists no required env vars or primary credential. That omission is an inconsistency: the skill will fail unless a user provides that secret, and the registry does not surface that requirement for evaluation. Apart from that single key, no other credentials are requested and use of an API key is proportionate to the stated functionality.
Persistence & Privilege
The skill is not always:true, does not request persistent/system-wide changes, and contains no code to modify other skills or system settings. Agent autonomy (model invocation) is allowed by default but not combined with other concerning privileges here.
What to consider before installing
This skill appears to implement exactly what it claims — making POST requests to LinkFox's SIF keyword overview API and returning metrics — but the package metadata fails to declare the required API credential (LINKFOXAGENT_API_KEY) even though both the script and the API reference expect it. Before installing: (1) confirm the skill's provenance and that tool-gateway.linkfox.com / skill-api.linkfox.com are legitimate and trusted endpoints for you; (2) do not export production-wide secrets — create and use a least-privilege API key for this skill if possible; (3) verify the API key source (the Feishu wiki link in the files points to an internal doc — confirm it is an official onboarding page); (4) if you require the registry to surface required env vars, ask the publisher to update metadata so automated checks can see the dependency; (5) review the included script locally (it's small and readable) and consider running it in a controlled environment first. The mismatch between declared requirements and the actual script is the main reason this is flagged as suspicious rather than benign.Like a lobster shell, security has layers — review code before you run it.
latestvk978f02hzg4vxgmagyam84ktrh8413w1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.