ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Zhihuiya Bibliography

v1.0.0

通过专利ID或公开号查询智慧芽专利数据库中的专利著录(书目)信息。当用户提到专利著录信息查询、专利书目信息、专利申请人查询、专利发明人查询、专利分类号、专利摘要获取、专利引用分析、专利优先权主张、专利申请引用、专利审查员信息、patent bibliographic data, inventor lookup,...

0· 30·0 current·0 all-time
by@linkfox-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's code and SKILL.md consistently implement querying Zhihuiya bibliographic data via LinkFox's gateway API; requiring an API key for that service is proportionate. However, the registry metadata lists no required env vars while both the docs and script expect LINKFOXAGENT_API_KEY — this mismatch is unexpected.
Instruction Scope
Runtime instructions and examples are focused and limited to calling the LinkFox API and presenting bibliographic fields. The SKILL.md and the included script only reference the API endpoint and the API key; there are no instructions to read unrelated files or credentials.
Install Mechanism
There is no install spec (instruction-only) and only a small Python helper script is included. No downloads from external, untrusted URLs or archive extraction are present.
!
Credentials
The code expects a single environment variable LINKFOXAGENT_API_KEY for Authorization in requests — this is reasonable for the skill's purpose. However, the skill manifest/registry metadata lists no required env vars, so callers may not be warned about the need to provide this secret. Confirming the exact env var requirement is necessary before installing or supplying credentials.
Persistence & Privilege
The skill does not request persistent/always-on privileges (always:false) and does not modify other skills or system config. It runs as a simple API client and prints results.
What to consider before installing
What to consider before installing: - The skill's code and docs call https://tool-gateway.linkfox.com/zhihuiya/bibliography and require an API key provided via the environment variable LINKFOXAGENT_API_KEY, but the registry metadata does not declare this — confirm with the publisher so you know which secret to provide. - Verify the skill source or publisher (homepage is missing). If you don't trust the origin, avoid supplying real production API keys; instead use a low-privilege or test key. - The network endpoint will receive any patent identifiers you query. If queries contain sensitive metadata, be sure you are comfortable sending them to tool-gateway.linkfox.com. - If you proceed, inspect/run the included script in a sandbox first; restrict the API key's permissions and be ready to rotate it if needed. - If you need reassurance, ask the publisher to update registry metadata to declare LINKFOXAGENT_API_KEY as a required env var and provide a homepage or contact for support.

Like a lobster shell, security has layers — review code before you run it.

latestvk9764z1t3qrrf9pf5nkxxzv9as843jyp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments