ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Zhihuiya Abstract Translated

v1.0.0

从智慧芽(PatSnap)专利数据库获取专利标题和摘要的翻译版本。当用户要求专利摘要翻译、专利标题翻译、翻译后的专利摘要、其他语言的专利内容、中文/英文/日文的专利摘要,或需要通过专利ID或公开号查询特定专利的摘要、标题、patent abstract translation, patent title tran...

0· 32·0 current·0 all-time
by@linkfox-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose (fetch translated patent titles/abstracts from Zhihuiya/PatSnap) matches the code and documentation: both the script and references/api.md call a LinkFox tool gateway API. However, the registry metadata claims no required environment variables or primary credential while the implementation requires LINKFOXAGENT_API_KEY for Authorization. The absence of a declared required credential in the metadata is an incoherence.
Instruction Scope
SKILL.md and references/api.md confine instructions to calling the LinkFox API endpoint and formatting results; the included script (scripts/zhihuiya_abstract_translated.py) only reads the provided JSON parameters and the LINKFOXAGENT_API_KEY, makes an HTTPS POST, and prints the JSON response. There are no instructions to read unrelated local files or environment variables beyond the API key.
Install Mechanism
No install spec is provided (instruction-only with an optional helper script). That is low-risk from an install perspective. The included Python script is runnable but nothing in the package performs arbitrary downloads or writes during installation.
!
Credentials
The implementation expects a single environment variable LINKFOXAGENT_API_KEY (used as an Authorization header) which is proportionate to calling a private API. However, the registry metadata incorrectly lists no required env vars/primary credential. This mismatch is a meaningful gap: the package will fail or prompt for a key at runtime, and the absent declaration prevents automated reviewers from knowing the skill requires a secret.
Persistence & Privilege
The skill does not request permanent presence (always=false) and does not attempt to modify other skills or system-wide configuration. It only makes outbound HTTPS calls to the documented endpoints when invoked.
What to consider before installing
This skill appears to be a straightforward client for LinkFox's Zhihuiya translation API, but metadata omits the required API credential. Before installing or enabling: 1) verify you trust the domains tool-gateway.linkfox.com and skill-api.linkfox.com and the LinkFox owner (no homepage is provided); 2) confirm with the publisher why LINKFOXAGENT_API_KEY is not declared in the registry and what permissions that key grants; 3) if you proceed, create a scoped API key with minimal permissions and test with non-sensitive queries; 4) review the Feishu wiki URL in the docs to confirm official onboarding instructions; and 5) monitor network activity and rotate/revoke the key if anything unexpected occurs.

Like a lobster shell, security has layers — review code before you run it.

latestvk97162vd0zdvhtvjzhnc108mm1842nk0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments