Sorftime Product Search
AdvisoryAudited by VirusTotal on Apr 14, 2026.
Overview
Type: OpenClaw Skill Name: linkfox-sorftime-product-search Version: 1.0.0 The skill bundle provides a legitimate interface for Amazon product research using the Sorftime data service. The core logic in `scripts/sorftime_product_search.py` is a standard API wrapper that communicates with a verified LinkFox domain (tool-gateway.linkfox.com) using an environment-stored API key. The instructions in `SKILL.md` are comprehensive and strictly focused on product filtering and data presentation, with no evidence of malicious intent, prompt injection, or unauthorized data access.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Queries will run under the user's LinkFox API key and may consume that account's quota or permissions.
The helper reads a LinkFox API key from the environment and sends it as the Authorization header. This is expected for a LinkFox/Sorftime API integration, but the registry metadata does not declare a required credential or env var.
key = os.environ.get("LINKFOXAGENT_API_KEY") ... "Authorization": api_keyOnly provide a LinkFox API key you intend this skill to use, monitor/revoke it if needed, and ask the publisher to declare LINKFOXAGENT_API_KEY in metadata.
If used, feedback submissions could send parts of the user's request or experience to LinkFox.
The reference file documents a separate public feedback endpoint that could transmit user feedback or intent details outside the main product-search API. The provided code does not automatically call it.
POST https://skill-api.linkfox.com/api/v1/public/feedback ... "content": Include what the user said or intended
Submit feedback only intentionally, avoid confidential details, and prefer explicit user consent before sending conversation-derived content.