ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Walmart Search

v1.0.0

按关键词、品类、价格区间等条件搜索和浏览沃尔玛商品listing。当用户提到Walmart商品搜索、沃尔玛商品listing、沃尔玛价格对比、沃尔玛竞品分析、沃尔玛选品调研、沃尔玛市场数据、在沃尔玛上查找商品、Walmart search, Walmart products, Walmart product se...

0· 31·0 current·0 all-time
by@linkfox-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose (search Walmart product listings) is coherent with calling an API, but the code and API docs show it uses a LinkFox gateway (https://tool-gateway.linkfox.com) and requires an API key for that gateway. The registry metadata lists no required environment variables or primary credential — a direct mismatch (the skill will fail without LINKFOXAGENT_API_KEY).
!
Instruction Scope
Runtime instructions and the included script send user queries to an external LinkFox endpoint and also reference a separate feedback API (skill-api.linkfox.com). The SKILL.md triggers broadly on any Walmart‑search intent, but does not clearly disclose that user search queries will be sent to a third party. The instructions do not read local files, but they do transmit user-supplied query data off‑agent to an external service.
Install Mechanism
There is no install spec (instruction-only deployment), and no downloads or extraction. The only executable code is a small included Python script; nothing is fetched from arbitrary URLs during install.
!
Credentials
The script expects LINKFOXAGENT_API_KEY (used in Authorization header) and points users to an internal Feishu wiki to obtain it, but the skill's registry metadata does not declare any required env vars. Requiring a gateway API key (not a Walmart key) is plausible but should be declared and justified in the metadata; absent that, this is disproportionate and opaque.
Persistence & Privilege
The skill does not request 'always: true' or other elevated persistent privileges, and it does not modify other skills or system configs. It runs only when invoked.
What to consider before installing
This skill will send user search queries to a LinkFox gateway (tool-gateway.linkfox.com) and requires an API key (LINKFOXAGENT_API_KEY) although the registry metadata does not declare it. Before installing: (1) verify and trust the LinkFox service and its privacy policy — queries and any product/context you send will be routed there; (2) ask the publisher to update the skill metadata to declare required environment variables and explain why the gateway is used instead of calling Walmart directly; (3) avoid supplying other secrets (AWS, Walmart, or system tokens); (4) if you need to evaluate safely, run the included script in an isolated environment and inspect network traffic or request a self‑hosted / direct Walmart integration instead. If the skill's source/publisher is unknown or untrusted, treat data you send through it as shared with a third party.

Like a lobster shell, security has layers — review code before you run it.

latestvk9767fd2z65mawh72yc1np9b8d843b93

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments