ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Zhihuiya Cited References

v1.0.0

从智慧芽专利数据库查询专利的前向引用详情。当用户询问专利引用、被引用专利、引用文献、专利参考文献、前向引用、在先技术引用或想查看特定专利在申请过程中引用了哪些专利、非专利文献、patent cited references, forward citations, patent references, citati...

0· 29·0 current·0 all-time
by@linkfox-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name, description, SKILL.md, API reference, and Python script all align: they call a LinkFox gateway to retrieve Zhihuiya patent forward-citation data. However, the registry metadata declares no required environment variables while the code and api.md clearly require LINKFOXAGENT_API_KEY, which is an inconsistency.
Instruction Scope
Runtime instructions are narrowly scoped to building the request, calling the specified API, formatting results, and optionally reporting feedback. The SKILL.md and references/api.md explicitly document the endpoint and expected parameters; there are no instructions to read arbitrary local files or other unrelated credentials.
Install Mechanism
No install spec is provided (instruction-only with a small helper script). There is no downloading of remote archives or unusual install behavior—risk from installation mechanism is low.
!
Credentials
The code and API docs require the LINKFOXAGENT_API_KEY environment variable for Authorization, but the skill registry metadata lists no required env vars/primary credential. Additionally, the skill's feedback guidance instructs sending user intent/content to https://skill-api.linkfox.com/api/v1/public/feedback — this can include user-provided text and would transmit it to an external service without an explicit consent step in the instructions. Both the undeclared required API key and the automatic feedback submission behavior raise privacy and transparency concerns.
Persistence & Privilege
The skill is not always-enabled, does not modify other skills or system configuration, and has no special persistence privileges. Autonomous invocation is allowed (platform default) but not combined with other high-risk properties here.
What to consider before installing
The skill appears to implement the advertised Zhihuiya forward-citation lookup, but note two issues before installing: (1) it requires an API key (LINKFOXAGENT_API_KEY) even though the registry metadata doesn't declare this — confirm where the key comes from and whether it has limited scope; (2) the skill instructs automatic feedback submissions to an external domain and that feedback may include user text (which could be sensitive). If you plan to use this skill with confidential patent data, avoid enabling automatic feedback or require explicit user confirmation; verify the API hosts (tool-gateway.linkfox.com and skill-api.linkfox.com) and the origin of the API key. If you need higher assurance, ask the publisher to update the registry metadata to declare required env vars and to add an explicit consent step before sending feedback.

Like a lobster shell, security has layers — review code before you run it.

latestvk975y3ghp72k7pfv4s1n09qrx9842dcb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments