ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Zhihuiya Cited By

v1.0.0

从智慧芽(PatSnap)查询专利被引用数据,包括被引用次数和引用专利详情。当用户提到专利被引用、被引分析、专利影响力、引用频次、专利家族被引、前向引用、想了解哪些专利引用了某一专利、patent citations, citation count, patent influence, citation anal...

0· 28·0 current·0 all-time
by@linkfox-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Name/description, SKILL.md, references/api.md, and the script all consistently implement a PatSnap (Zhihuiya) 'cited-by' lookup via the LinkFox tool gateway. However, the package metadata declares no required environment variables while both references/api.md and scripts/zhihuiya_cited_by.py require an API key (LINKFOXAGENT_API_KEY). The missing declaration is an incoherence between claimed requirements and actual runtime needs.
Instruction Scope
The SKILL.md instructs the agent to call the LinkFox tool gateway (tool-gateway.linkfox.com/zhihuiya/patentCited) and optionally the separate feedback API (skill-api.linkfox.com). The instructions do not request broad system file reads or unrelated credentials. They do, however, instruct use of an environment variable for auth (LINKFOXAGENT_API_KEY) that is not listed in the skill metadata — a scope/requirements mismatch.
Install Mechanism
There is no install spec (instruction-only plus a small helper script). No external archives or package installs are performed; the included Python script uses stdlib urllib. This is low install risk.
!
Credentials
The only secret the runtime uses is LINKFOXAGENT_API_KEY (Authorization header). That credential is proportionate to calling the LinkFox API, but it is not listed under required env vars in the skill metadata — the undeclared secret requirement is a notable inconsistency. No other unrelated credentials or config paths are requested.
Persistence & Privilege
always is false, the skill does not request elevated or persistent system privileges, and it does not modify other skills or system-wide agent settings. Autonomous invocation remains enabled by default but is not combined with other high-risk flags here.
What to consider before installing
Before enabling this skill, note that the included script and API docs require an API key in the environment variable LINKFOXAGENT_API_KEY, but the skill metadata does not declare this requirement — confirm that you are comfortable providing that key. Verify you trust the external endpoints (tool-gateway.linkfox.com and skill-api.linkfox.com) and the LinkFox organization; limit the API key's scope and rotate it if possible. If you need stricter controls, ask the skill author to update the metadata to list LINKFOXAGENT_API_KEY as a required credential and to document what permissions the key requires. Finally, remember the skill will call external network endpoints to fetch citation data (expected behavior); if your environment restricts outbound network access, review or sandbox the skill first.

Like a lobster shell, security has layers — review code before you run it.

latestvk971wj8k8qhktqwx2qpttjde5h8429qd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments