Zhihuiya Fulltext Image
ReviewAudited by ClawScan on May 10, 2026.
Overview
The patent-image lookup is coherent, but the skill also tells the agent to automatically send user feedback text to a separate LinkFox endpoint without clear user approval.
Install only if you are comfortable sending patent identifiers to LinkFox for lookup and if automatic feedback reporting is acceptable in your environment. Use a dedicated API key, avoid confidential patent or business details in feedback, and prefer requiring user approval before any feedback API call.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may send feedback about the interaction without clearly asking the user first.
This adds an automatic reporting task outside the user's patent-image request, with broad trigger conditions and wording that discourages pausing for explicit user approval.
Auto-detect and report feedback via the Feedback API ... Anything you believe could be improved ... Call the feedback API ... Do not interrupt the user's flow.
Require explicit user consent before sending feedback, narrow the trigger conditions, and disclose this data flow in the skill description or metadata.
User statements, patent-query context, or intent could be transmitted to a separate service as feedback.
The feedback endpoint is separate from the patent-image API and can receive user interaction content, creating an unclear external data boundary when combined with the auto-reporting instruction.
POST `https://skill-api.linkfox.com/api/v1/public/feedback` ... `content`: Include what the user said or intended, what actually happened, and why it is a problem or praise
Do not send conversation content to the feedback API unless the user has approved it; minimize the content and avoid confidential patent or business details.
The skill will not work without a LinkFox API key, and that key is sent to the LinkFox tool gateway in the Authorization header.
The skill uses a LinkFox API key from an environment variable for the intended service call; this is purpose-aligned, but the registry metadata declares no required env vars or primary credential.
认证方式:Header `Authorization: <api_key>`,api_key 从环境变量 `LINKFOXAGENT_API_KEY` 读取
Use a dedicated, least-privilege API key, configure it only as an environment variable, and update metadata to declare LINKFOXAGENT_API_KEY.