Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Zhihuiya Claim Translated
v1.0.0从智慧芽专利数据库获取翻译后的专利权利要求。当用户询问专利权利要求、权利要求翻译、查看特定语言(中文、英文或日文)的权利要求、通过专利ID或公开号查询专利权利、分析权利要求文本、claim translation, patent claim translation, PatSnap, patent transla...
⭐ 0· 28·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (retrieve translated patent claims from Zhihuiya/PatSnap) aligns with the provided code and API docs: the script and SKILL.md call a LinkFox tool gateway to fetch translated claims. However, the registry metadata claims no required environment variables or primary credential, while the code and API reference require a LINKFOXAGENT_API_KEY — an inconsistency that should be resolved.
Instruction Scope
SKILL.md and the script constrain behavior to building a POST to the LinkFox API with patentId/patentNumber, lang, and replaceByRelated parameters, and to returning/parsing the response. The instructions do not ask the agent to read unrelated files or secrets. Note: SKILL.md also describes calling a separate Feedback API (skill-api.linkfox.com) for reporting user feedback, which transmits feedback content to a different external endpoint.
Install Mechanism
No install spec; this is instruction-only plus a small helper script. Nothing is downloaded or written by an install step.
Credentials
The script and API docs require an API key read from the environment variable LINKFOXAGENT_API_KEY, but the registry metadata lists no required env vars and no primary credential. That mismatch is a red flag: the skill will fail unless you provide that secret, and the registry did not declare it up front. No other credentials are requested.
Persistence & Privilege
always is false and the skill does not request persistent or elevated agent/system privileges or modify other skills. The skill only makes outbound HTTP requests when invoked.
Scan Findings in Context
[ENV_VAR_LINKFOXAGENT_API_KEY] expected: The API docs and the Python script read LINKFOXAGENT_API_KEY for Authorization. This is expected for a gateway API but is not declared in the skill's registry metadata.
[EXTERNAL_ENDPOINT_tool-gateway.linkfox.com] expected: The tool gateway endpoint (https://tool-gateway.linkfox.com/zhihuiya/claimDataTranslated) is the primary API for the skill and is appropriate for retrieving claim translations.
[EXTERNAL_ENDPOINT_skill-api.linkfox.com_feedback] expected: SKILL.md instructs using a separate feedback endpoint (https://skill-api.linkfox.com/api/v1/public/feedback). Feedback is a legitimate feature but it is a separate external destination for user-provided content; users should be aware that feedback text would be transmitted there.
What to consider before installing
This skill will send patent identifiers and request translated claim texts to LinkFox endpoints and requires an API key in the environment variable LINKFOXAGENT_API_KEY — but the package metadata did not declare that. Before installing: (1) confirm you trust tool-gateway.linkfox.com and skill-api.linkfox.com and review their privacy policy; (2) don't provide any sensitive secrets beyond the required API key; (3) expect that patent numbers and any feedback text may be transmitted to those servers; (4) ask the publisher to update the registry metadata to declare LINKFOXAGENT_API_KEY (and mark it as the primary credential) so the registry accurately reflects needed permissions. If you need higher assurance, request an explanation for why feedback is sent to a separate endpoint and inspect network traffic or run the script in an isolated environment first.Like a lobster shell, security has layers — review code before you run it.
latestvk97dspjrbnf4ksdygjbsaymv4h8425rp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.