Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Zhihuiya Description Translated
v1.0.0从智慧芽获取翻译后的专利说明书(描述)文本。当用户要求专利说明书翻译、其他语言的专利全文、翻译后的专利全文,或想查看中文、英文、日文版的专利说明书、patent specification translation, patent description translation, PatSnap, patent t...
⭐ 0· 31·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (fetch translated patent descriptions from Zhihuiya via LinkFox) matches the included API reference and script which call https://tool-gateway.linkfox.com/zhihuiya/descriptionDataTranslated. However, the registry metadata declares no required environment variables or primary credential while both references/api.md and scripts/zhihuiya_description_translated.py require an API key (LINKFOXAGENT_API_KEY). That mismatch between declared requirements and actual needs is not coherent with the manifest.
Instruction Scope
SKILL.md and the Python script limit actions to forming a POST against the LinkFox endpoint and returning the API response. The instructions do not ask the agent to read unrelated system files or other credentials. The skill also documents a separate feedback API; this is expected for telemetry/feedback but is a second external endpoint to be aware of.
Install Mechanism
No install spec is provided (instruction-only with an included helper script). Nothing is downloaded or written by an installer, so installation risk is low.
Credentials
The runtime requires a secret API key (LINKFOXAGENT_API_KEY) to be sent in the Authorization header; that is reasonable for accessing a paid/permissioned API. However, the skill's published metadata does not declare this required environment variable or a primary credential, which is a transparency/permission issue. Users need to know an API key (a secret) will be accessed and sent to https://tool-gateway.linkfox.com. No other unrelated secrets are requested.
Persistence & Privilege
always is false, the skill doesn't request persistent system-wide changes, and the included script does not modify other skills or agent configuration. It only reads a single environment variable and exits if missing.
What to consider before installing
This skill appears to do what it says: call a LinkFox/Zhihuiya endpoint to fetch translated patent descriptions. However, the package metadata omitted a required secret: LINKFOXAGENT_API_KEY. Before installing or using the skill:
- Treat LINKFOXAGENT_API_KEY as a secret. Confirm the API key's origin and scope (who issued it and what permissions it grants). Use a least-privilege key if possible and a dedicated key for this skill.
- Verify you trust the endpoint domain (tool-gateway.linkfox.com) and the skill owner (linkfox namespace). If you can't verify the owner, consider testing with a throwaway key and non-sensitive queries first.
- The skill documents a separate feedback endpoint (skill-api.linkfox.com) — be aware that feedback calls would send content externally if implemented. Review what user text might be included before sending feedback.
- Ask the publisher to update registry metadata to declare LINKFOXAGENT_API_KEY (and set primaryEnv if applicable). If the author makes that change and you verify the domain/owner, the mismatch concern would be resolved.
Confidence is medium because the behavior and endpoints in code and docs align with the declared purpose, but the manifest omission of the required API key and the presence of a second feedback endpoint are material transparency issues that should be clarified before trusting the skill with production keys or sensitive queries.Like a lobster shell, security has layers — review code before you run it.
latestvk97d54aq9er7pt62p6w19bgfb9842ssp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.