Back to skill
Skillv1.0.0
ClawScan security
Sorftime Product detail · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewApr 14, 2026, 12:56 PM
- Verdict
- Review
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill generally does what it says (queries Sorftime via LinkFox gateway), but the manifest omits a required API credential and there is no homepage or publisher information — this mismatch and lack of provenance are concerning.
- Guidance
- This skill appears to implement the advertised Sorftime product-detail queries and includes a small helper script, but the package metadata fails to declare the API key it actually needs. Before installing: 1) Confirm the publisher/owner identity and whether you trust LinkFox/this owner (no homepage is provided). 2) Expect to supply LINKFOXAGENT_API_KEY (the skill uses it in its Authorization header) — do not reuse high-privilege or long-lived keys. 3) Verify what permissions and scope that API key has and prefer a limited-scope or test key. 4) Inspect network endpoints (tool-gateway.linkfox.com and skill-api.linkfox.com) and the Feishu link in the README to ensure they match expectations. 5) If you need stronger assurance, ask the publisher for a homepage, privacy/security policy, and key-scoping guidance or run the skill in an isolated environment first. If you cannot verify the provider, treat the required API key as sensitive and consider not installing.
Review Dimensions
- Purpose & Capability
- noteName, description, SKILL.md, references/api.md and the included script consistently describe querying Sorftime product/detail trends via LinkFox's tool gateway (https://tool-gateway.linkfox.com/sorftime/amazon/productDetail). The functionality requested (ASIN + marketplace → product trend data) aligns with the described purpose.
- Instruction Scope
- okSKILL.md and the script only instruct building API queries, calling the LinkFox endpoint, and optionally posting feedback to a separate feedback endpoint. There are no instructions to read unrelated files, harvest local data, or exfiltrate credentials beyond the API key needed for the service.
- Install Mechanism
- okNo install spec; the skill is instruction-only plus a small Python script that uses the standard library (urllib). Nothing is downloaded or extracted from third-party URLs during install.
- Credentials
- concernThe registry metadata lists no required env vars or primary credential, but references/api.md and scripts/sorftime_product_detail.py both require an environment variable LINKFOXAGENT_API_KEY for Authorization. This manifest/instruction inconsistency is a red flag: the skill implicitly requires a secret (API key) but the skill metadata doesn't declare it or explain key scope. The only credential in use is LINKFOXAGENT_API_KEY (proportionate if limited to the LinkFox API), but lack of provenance for the provider increases risk.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system-wide privileges or attempt to modify other skills or agent configuration. Autonomous invocation is allowed by default but not combined with other high-risk factors here.