Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Zhihuiya Claim Data
v1.0.0从智慧芽(PatSnap)获取专利权利要求数据。当用户提到专利权利要求、权利要求文本、独立权利要求、从属权利要求、权利要求数量、权利要求树、权利要求分析、权利要求范围、权利要求语言、想查看特定专利的权利要求部分、patent claims, independent claims, dependent claims...
⭐ 0· 28·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose is to retrieve patent claim data from Zhihuiya (PatSnap). The implementation calls a LinkFox gateway (https://tool-gateway.linkfox.com/zhihuiya/claimData) rather than a PatSnap domain. That could be legitimate (a proxy service) but the metadata does not disclose this. Also the code requires an API key (LINKFOXAGENT_API_KEY) even though the registry lists no required credentials — a clear mismatch.
Instruction Scope
SKILL.md and the included references describe only claim-retrieval behavior, which is appropriate. However the runtime instructions and the script rely on an environment API key and a LinkFox feedback API (reference doc) that are not declared in the metadata. The skill does not instruct reading unrelated files, but it does direct data (user-supplied patent identifiers and responses) to an external third-party gateway.
Install Mechanism
No install spec is provided (instruction-only plus a small Python script). No archives or external installers; the included script uses standard Python libraries and performs an outbound HTTP POST. This is lower-risk than remote code download/install.
Credentials
The code requires LINKFOXAGENT_API_KEY (read from environment) to call the gateway, but the skill metadata declares no required env vars or primary credential. Requesting an API key to a third‑party gateway is reasonable for an API-backed skill, but it should be declared explicitly and the provider should be identified. Because the gateway is not an official PatSnap domain and the repository/homepage is missing, granting an API key may expose queries and results to an unclear party.
Persistence & Privilege
The skill does not request always:true, does not attempt to modify other skills, and contains no install scripts that persist or elevate privileges. It runs as an on-demand tool calling an external API.
Scan Findings in Context
[uses-env-LINKFOXAGENT_API_KEY] unexpected: The script and reference docs require LINKFOXAGENT_API_KEY to authorize requests to the LinkFox gateway, but the skill metadata lists no required environment variables or primary credential — this is an inconsistency the user should be aware of.
[external-endpoint-tool-gateway.linkfox.com] unexpected: Calling an external API endpoint is expected for this skill, but the endpoint is a LinkFox gateway (tool-gateway.linkfox.com) rather than an official PatSnap domain; the skill does not document the relationship or privacy implications, and the owner's homepage is missing.
What to consider before installing
Before installing, verify who operates the LinkFox gateway and whether it's an authorized proxy for Zhihuiya/PatSnap. Ask the skill publisher to (1) declare LINKFOXAGENT_API_KEY in the skill metadata and explain what the key gives access to, (2) provide a homepage/privacy policy describing how query data and results are stored or shared, and (3) confirm why an official PatSnap endpoint isn't used. Do not provide high‑privilege or unrelated credentials; if you test, use non‑sensitive example patent IDs. If you cannot confirm the gateway's trustworthiness, avoid installing or limit use to local/manual queries instead.Like a lobster shell, security has layers — review code before you run it.
latestvk971kqx3vw0dcdvrr2adfjp2dn843758
License
MIT-0
Free to use, modify, and redistribute. No attribution required.