ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Zhihuiya Abstract Image

v1.0.0

通过专利ID或公开号从智慧芽专利数据库获取专利摘要附图。当用户提到专利摘要附图、专利图纸、专利示意图、专利图片、摘要附图检索、专利图片查询、patent abstract images, patent drawings, patent illustrations, PatSnap, abstract image...

0· 30·0 current·0 all-time
by@linkfox-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name, description, SKILL.md, references/api.md, and the Python script all align: they call LinkFox's Zhihuiya abstractImage endpoint to return patent drawing URLs. There are no unrelated binaries, packages, or absurd permissions requested for the stated task.
!
Instruction Scope
Runtime instructions and the included script perform network calls to https://tool-gateway.linkfox.com/zhihuiya/abstractImage and advise using a Feedback API at https://skill-api.linkfox.com/api/v1/public/feedback. The SKILL.md and references instruct the agent to use an API key from an environment variable (LINKFOXAGENT_API_KEY). The instructions do not attempt to read unrelated local files, but they do instruct the agent to contact two external services (tool-gateway and skill-api).
Install Mechanism
No install spec is present (instruction-only skill with an included helper script). That is low-risk from an installation perspective — the skill will not automatically download or install third-party code. The provided Python script is readable and calls the external API; nothing is obfuscated.
!
Credentials
The skill requires an API key (LINKFOXAGENT_API_KEY) per references/api.md and the script, but the registry metadata declared no required environment variables or primary credential. Requesting a single service API key is proportionate to the task, but the omission in metadata is an inconsistency that can hide the need to provide a secret.
Persistence & Privilege
The skill is not always-enabled and does not request elevated persistence. It does not modify other skills or system settings. It can be invoked by the model (normal behavior).
What to consider before installing
This skill appears to do what it says (retrieve patent abstract images) and its code is readable, but the package metadata omitted the required API key. Before installing or enabling: 1) Confirm you trust the domains tool-gateway.linkfox.com and skill-api.linkfox.com and the skill author (LinkFox) — the skill will send requests to those endpoints. 2) Be aware you must provide LINKFOXAGENT_API_KEY (an environment variable) — ensure the key is scoped/minimally privileged and revocable. 3) The skill will fetch image URLs that may be rendered by your client (external image loads); consider privacy implications. 4) If you expect the registry to declare required credentials, ask the publisher to update metadata to list LINKFOXAGENT_API_KEY explicitly. If you cannot verify trust in LinkFox or the API endpoints, do not provide credentials or enable the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk975vny4rv6bqkhvwker8rhx2d843fh4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments