Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Sorftime Product Search
v1.0.0基于Sorftime数据的亚马逊多维度产品搜索与筛选,涵盖14个站点,支持历史月份快照回看。当用户提到Sorftime产品搜索、亚马逊产品筛选、竞品调研、类目分析、品牌热销、卖家分析、季节性产品、历史快照回看、产品搜索、月销量月销额、ABA关键词找产品、价格范围筛选、新品发现、多条件组合筛选、product se...
⭐ 0· 33·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to provide Sorftime-backed Amazon product search and the included script and API reference call a Sorftime / LinkFox gateway endpoint. The capability requested (calling tool-gateway.linkfox.com) matches the described purpose, but the metadata omits the single obvious required credential (LINKFOXAGENT_API_KEY), which is inconsistent.
Instruction Scope
SKILL.md and references/api.md clearly describe how queries are built and which API to call. The runtime instructions and the script only request the service API key and do POSTs to the documented endpoints; they do not instruct the agent to read unrelated files or credentials. However, the instructions explicitly require an Authorization header containing LINKFOXAGENT_API_KEY, which is not declared in the skill's top-level requirements (incoherence noted under purpose_capability).
Install Mechanism
This is an instruction-only skill with no install spec and a small helper script. No downloads, package installs, or archive extraction are present, which is low risk from an install perspective.
Credentials
The code and API reference require one environment variable, LINKFOXAGENT_API_KEY, which is appropriate for calling a protected API. The concern is that the skill metadata declares no required env vars or primary credential, so the agent or user won't be alerted that a secret is needed. This mismatch could lead to accidental credential exposure or confusion about where to store the key.
Persistence & Privilege
The skill does not request persistent or elevated platform privileges; always is false and it does not modify other skills or system-wide configuration. It only attempts network calls to external LinkFox endpoints when invoked.
What to consider before installing
What to check before installing:
- The script and API docs expect an API key in the environment variable LINKFOXAGENT_API_KEY, but the skill metadata does not declare this. Ask the provider to update the metadata to list LINKFOXAGENT_API_KEY as a required credential.
- Confirm you trust the endpoints https://tool-gateway.linkfox.com and https://skill-api.linkfox.com and the source that issues the API key. The docs point to a Feishu wiki for obtaining a key—verify that process with the vendor and prefer official documentation or a company portal.
- Limit the API key's scope if possible (create a token that only permits productQuery calls) and avoid reusing broader credentials.
- Review sample queries you plan to run to ensure they don't include sensitive data; the skill will send your query parameters to an external service.
- If you are uncomfortable with the undeclared env var or the external endpoints, do not install; ask the developer to correct the metadata and provide an authoritative key-provisioning URL or documentation.
Confidence note: medium — the code and docs are consistent with the stated purpose, but the omission of the required environment variable in the skill metadata is a clear inconsistency that should be clarified before use.Like a lobster shell, security has layers — review code before you run it.
latestvk97ddfee8g1qnfr0y9pyqcmmfx84txa6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.