Back to skill
Skillv1.0.0
ClawScan security
YouYing Shopee Product Search · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 14, 2026, 10:24 AM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill legitimately calls an external LinkFox API to search Shopee products, but it relies on an API key (LINKFOXAGENT_API_KEY) used by the included code and referenced API docs while the skill metadata does not declare any required environment variables — an incoherence you should resolve before installing.
- Guidance
- This skill calls an external API at https://tool-gateway.linkfox.com/youying/shopee/getProductInfos and the bundled script and API docs require an environment variable LINKFOXAGENT_API_KEY. Before installing, verify: (1) you are comfortable that queries (keywords, shop IDs, etc.) will be sent to LinkFox and that this is acceptable for any sensitive data you may supply; (2) the API key source is legitimate and you understand where to obtain it; and (3) the skill metadata should be updated to declare LINKFOXAGENT_API_KEY as a required credential so you can review and control it. If the metadata remains silent about credentials, ask the skill author to correct the manifest or provide assurance about the key usage before enabling the skill.
Review Dimensions
- Purpose & Capability
- concernThe skill's name, description, SKILL.md, references/api.md, and the included script all consistently target querying LinkFox's youying/shopee/getProductInfos API — this matches the declared purpose. However, the skill manifest lists no required environment variables or primary credential while both the API reference and the bundled script require an API key (LINKFOXAGENT_API_KEY). Omitting this required credential from the metadata is an inconsistency and reduces transparency.
- Instruction Scope
- okSKILL.md stays on task: converting user filter requests into API parameters, calling the LinkFox tool gateway, and presenting results. It does not instruct reading unrelated system files or exfiltrating data beyond the external API. It also documents display rules, error handling, and marketplace mappings.
- Install Mechanism
- okThere is no install spec (instruction-only skill plus a small utility script). Nothing is downloaded or extracted at install time, so there is no elevated install risk.
- Credentials
- concernThe functionality reasonably requires a single service credential (LINKFOXAGENT_API_KEY). That is proportionate to the purpose, but the skill metadata does not declare this required environment variable or a primary credential. The omission is a transparency/manifest mismatch that could cause unexpected runtime failures or hidden credential usage.
- Persistence & Privilege
- okThe skill does not request persistent 'always' inclusion, does not modify other skills or system-wide settings, and contains no install-time scripts. It runs remotely against an API and prints results — no special privileges are requested.