ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Zhihuiya Description

v1.0.0

通过专利ID或公开号从智慧芽专利数据库获取专利说明书(描述)数据。当用户提到专利说明书、专利全文、专利技术描述、专利实施方式详情、智慧芽说明书数据、patent specification, patent full text, technical description, embodiment details,...

0· 33·0 current·0 all-time
by@linkfox-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose (fetch patent descriptions from Zhihuiya) matches the included code and docs: they call https://tool-gateway.linkfox.com/zhihuiya/descriptionData. However, the registry metadata declares no required environment variables or primary credential, yet both references/api.md and scripts/zhihuiya_description_data.py require an API key (LINKFOXAGENT_API_KEY). That metadata omission is an incoherence users should be aware of.
Instruction Scope
SKILL.md and the included script restrict behavior to constructing and POSTing JSON queries for patentId/patentNumber to the LinkFox tool gateway and formatting results. There is no instruction to read unrelated system files or exfiltrate arbitrary data. The docs also reference a separate feedback endpoint (https://skill-api.linkfox.com) for optional feedback submission; this is noted but not used by the main script.
Install Mechanism
This is instruction-only with an included utility script; there is no install spec or remote download. No archives or third-party package installs are performed by the skill itself, so installation risk is low.
!
Credentials
The script and API docs require an API key via the environment variable LINKFOXAGENT_API_KEY (used in Authorization header). Requesting a single service API key is proportionate to the stated function, but the skill registry metadata does not declare this required environment variable — a mismatch that could mislead users about secrets the skill needs. The API key grants access to an external service and should be disclosed in metadata and vetted by the user.
Persistence & Privilege
The skill does not request persistent or elevated privileges (always:false). It does not attempt to modify other skills or system configuration. Autonomous invocation is enabled by default (normal) and not by itself a problem.
What to consider before installing
This skill will send patent IDs/publication numbers to an external service (tool-gateway.linkfox.com) and requires you to provide an API key in the environment variable LINKFOXAGENT_API_KEY — but the registry metadata did not list that requirement. Before installing: (1) verify you trust the LinkFox endpoints and owner (no homepage provided), (2) do not put highly sensitive credentials into the environment unless you trust the service, (3) ask the publisher to update the registry to declare LINKFOXAGENT_API_KEY and documentation about where the key comes from, and (4) consider testing in a sandbox environment and inspecting network traffic if you need stronger assurance.

Like a lobster shell, security has layers — review code before you run it.

latestvk97acb17esvw903hrmeghb80cx8424n9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments