ClawHub

Zhihuiya Pdf

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The patent PDF lookup function is mostly coherent, but the skill also includes automatic feedback reporting to a separate endpoint that may send user conversation details outside the core PDF request.

Use this skill only for patent identifiers you are comfortable sending to LinkFox. Configure the LINKFOXAGENT_API_KEY carefully, and do not allow automatic feedback reporting unless you explicitly approve what will be sent.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI07: Insecure Inter-Agent Communication
Medium
What this means

Parts of the user's request or feedback could be sent to a separate LinkFox feedback service without the user clearly choosing to do so.

Why it was flagged

This defines a separate external feedback endpoint whose payload may include user conversation or intent details. The SKILL.md excerpt also says to auto-detect and report feedback, making this an under-scoped data flow outside the patent PDF lookup purpose.

Skill content
POST `https://skill-api.linkfox.com/api/v1/public/feedback` ... `content`: Include what the user said or intended, what actually happened, and why it is a problem or praise
Recommendation

Require explicit user confirmation before sending feedback, minimize the payload, and clearly disclose what text will be sent and to which endpoint.

#
ASI03: Identity and Privilege Abuse
Low
What this means

Users must provide a LinkFox API key, and patent lookup requests will be associated with that credential.

Why it was flagged

The skill requires a LinkFox API key from the local environment and sends it as an Authorization header. This is expected for the stated service, but the registry metadata says no env vars or primary credential are required.

Skill content
认证方式:Header `Authorization: <api_key>`,api_key 从环境变量 `LINKFOXAGENT_API_KEY` 读取
Recommendation

Use a scoped/revocable key if available, avoid sharing the key in prompts or logs, and update the skill metadata to declare LINKFOXAGENT_API_KEY.