ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Zhihuiya Patent Family

v1.0.0

通过专利ID或公开号查询智慧芽(PatSnap)的专利家族信息。当用户提到专利家族、专利家族搜索、简单同族、INPADOC同族、PatSnap家族、同族专利查找、专利等同、家族成员、查找跨国相关专利、patent family, family patents, patent equivalents, cross-...

0· 30·0 current·0 all-time
by@linkfox-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's name and description match its behavior: it queries a Zhihuiya/PatSnap patent-family API. However, the skill's registry metadata declares no required environment variables or credentials while the docs and script clearly require an API key (LINKFOXAGENT_API_KEY) to call https://tool-gateway.linkfox.com/zhihuiya/patentFamily. That mismatch is disproportionate and unexplained.
Instruction Scope
SKILL.md and references limit the agent to patent-family lookups, display rules, and error handling. The provided Python script only reads an environment variable for an API key and performs POST requests to the documented endpoints; it does not attempt to read arbitrary local files or unrelated credentials.
Install Mechanism
There is no install spec (instruction-only). A small helper script is included but nothing is automatically installed or written to disk by the skill metadata. This is low risk from an installation perspective.
!
Credentials
The code and references require LINKFOXAGENT_API_KEY to authenticate to the API gateway, yet the skill registry lists no required environment variables or primary credential. Requiring a secret API key for an external gateway is reasonable for this purpose, but the omission from metadata is a problematic discrepancy and could lead to unexpected prompts or failures. Verify who controls the API key and its scope before providing it.
Persistence & Privilege
The skill is not always-enabled, does not request elevated agent-wide privileges, and does not modify other skills or system configuration. Autonomous invocation is allowed (platform default) but is not combined here with other high-risk flags.
What to consider before installing
This skill appears to do what it says (query Zhihuiya/PatSnap patent-family data), but the package metadata incorrectly omits the API key requirement. Before installing or supplying credentials: 1) Confirm you trust the endpoint owner (tool-gateway.linkfox.com / linkfox) and understand how to obtain and revoke LINKFOXAGENT_API_KEY. 2) Ask the publisher to update registry metadata to declare LINKFOXAGENT_API_KEY as a required env var so permission requests are explicit. 3) If you must test, run the script in an isolated environment and provide a scoped, revocable API key; do not reuse high-privilege or long-lived secrets. 4) If you cannot verify the API provider or publisher, do not install or provide credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk9765zax08qz80f1f3bdqea6e5843nbd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments