Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Zhihuiya Patent Image Search
v1.0.0基于智慧芽的专利图片相似度搜索,支持通过图片URL检索外观设计专利和实用新型专利。当用户提到专利图片搜索、外观设计专利侵权检查、外观专利搜索、视觉专利查询、以图搜专利、专利相似度检测、专利图片匹配、洛迦诺分类搜索、检查产品设计是否侵犯已有专利、patent image search, design patent...
⭐ 0· 34·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's code and references clearly call the LinkFox/Zhihuiya tool gateway and require an API key (environment variable LINKFOXAGENT_API_KEY) to authenticate requests. However, the registry metadata declares no required environment variables or primary credential. That omission is an incoherence: a networked API-backed patent-image search legitimately requires an API key, so the metadata should declare it. Also the skill source/homepage is unknown which reduces traceability.
Instruction Scope
SKILL.md and references/api.md instruct the agent to call the external endpoint https://tool-gateway.linkfox.com/zhihuiya/patentImageSearch and reference a separate feedback endpoint. The runtime instructions and included script are scoped to performing searches and formatting results; they do not instruct the agent to read unrelated local files. However, they do rely on sending the user-provided image URL (and thereby image content accessible via that URL) to an external service — this is expected for the stated purpose but is important privacy/ data-flow behavior to highlight.
Install Mechanism
There is no install spec (instruction-only skill) and no downloads or package installs. A Python script is included that can be run directly. No third-party installers or unusual network downloads are present in the manifest.
Credentials
The code requires a single secret-like environment variable LINKFOXAGENT_API_KEY for Authorization, but the skill metadata did not declare this requirement or a primary credential. That mismatch is concerning because users may not be aware a secret is needed. Additionally, using the skill transmits image URLs (and likely the image content fetched by the service) and search parameters to external LinkFox endpoints; for proprietary images or confidential designs this is a data-exfiltration/privacy risk. No other unrelated credentials are requested.
Persistence & Privilege
The skill does not request permanent 'always' inclusion, does not modify other skills or system-wide settings, and has no install-time persistence mechanism. Autonomous invocation is allowed by default but is not combined here with broad privileges or undisclosed credentials.
What to consider before installing
This skill's code implements the advertised patent image search and calls LinkFox/Zhihuiya endpoints, but the package metadata fails to declare that it requires an API key (LINKFOXAGENT_API_KEY). Before installing: 1) Treat the skill as a third‑party networked tool — any image URL you submit will be sent to https://tool-gateway.linkfox.com and may expose design images to that provider. Do NOT submit proprietary/confidential images unless you trust the service and its data handling. 2) Confirm the identity and trustworthiness of the skill owner (source/homepage is missing). 3) Only provide an API key with least privilege and rotate/remove it if you stop using the skill. 4) Ask the publisher to update the skill metadata to explicitly list LINKFOXAGENT_API_KEY (and to provide a homepage/privacy/terms link) so the credential requirement is transparent. If you need help vetting the remote endpoints or the API key provisioning process, obtain those details before enabling the skill.Like a lobster shell, security has layers — review code before you run it.
latestvk9727ymzymdeyx1rrpss7vk06n842v8x
License
MIT-0
Free to use, modify, and redistribute. No attribution required.