ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Zhihuiya Legal Status

v1.0.0

从智慧芽(PatSnap)数据库查询专利法律状态信息。当用户提到专利法律状态、专利有效性核查、专利状态查询、专利事件历史、简单法律状态、转让、许可、质押、异议、诉讼、复审等法律事件、patent legal status, patent validity, patent events, transfer/lice...

0· 30·0 current·0 all-time
by@linkfox-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose (querying Zhihuiya/PatSnap legal status) aligns with the included code and API references, but the registry metadata lists no required environment variables or primary credential while both the script and the API reference require LINKFOXAGENT_API_KEY. That missing declaration is inconsistent with the claimed capability.
Instruction Scope
SKILL.md and references/api.md describe calling https://tool-gateway.linkfox.com/zhihuiya/legalStatus with an Authorization header and give display/error-handling guidance. The runtime instructions and included script are narrowly scoped to sending patentId/patentNumber to that endpoint and returning results; they do not instruct reading unrelated files or exfiltrating other environment variables. However, the docs also reference a separate feedback endpoint (https://skill-api.linkfox.com) — the script does not call it, but the presence of a second external endpoint should be noted.
Install Mechanism
No install spec and the included Python script uses only stdlib modules. Nothing is downloaded or written to disk during install, so install risk is low.
!
Credentials
The code and API docs require an API key via the environment variable LINKFOXAGENT_API_KEY and will send it as an Authorization header to an external service. The registry metadata, however, declares no required env vars or primary credential — this omission is disproportionate and misleading. Requiring a single API key for remote queries would be reasonable, but the metadata should declare it explicitly. Users should verify the key's scope and revocability before supplying it.
Persistence & Privilege
always is false and the skill does not attempt to alter system or other-skill configuration. It does not request permanent persistence or elevated privileges.
What to consider before installing
Before installing: 1) Ask the publisher to update the skill metadata to explicitly list LINKFOXAGENT_API_KEY as a required credential (the code and API docs use it). 2) Verify you trust the domains tool-gateway.linkfox.com and skill-api.linkfox.com and confirm how to obtain the API key (the docs point to an internal Feishu wiki). 3) Only provide an API key with the minimal scope and one you can revoke; avoid putting high-privilege or shared credentials into the environment. 4) If you need higher assurance, request a publisher identity/homepage and provenance for this skill (who operates linkfox), or run the skill in an isolated environment. 5) Confirm whether the skill will (or may later be modified to) call the feedback endpoint or other external services and whether any user data will be retained or logged externally.

Like a lobster shell, security has layers — review code before you run it.

latestvk9707r7ztrnhmpvbb75e4d51e58431zb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments