ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Zhihuiya Simple Bibliography

v1.0.0

从智慧芽专利数据库查询专利简要著录(书目)数据。当用户提到专利著录信息查询、专利基本信息获取、专利书目数据、专利公开详情、按专利号查询发明人、专利申请人信息、专利摘要获取、专利分类号(IPC/CPC)、专利引用查询或任何通过专利ID、公开号检索结构化元数据的请求、patent brief bibliography...

0· 31·0 current·0 all-time
by@linkfox-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's name, SKILL.md, reference docs, and the included script all consistently describe calling LinkFox's Zhihuiya simpleBibliography endpoint — that matches the stated purpose. However, the registry metadata claims 'Required env vars: none' while the code and references explicitly require LINKFOXAGENT_API_KEY for Authorization. This mismatch is incoherent: a network API key is necessary for the stated purpose but was not declared in the registry.
Instruction Scope
The runtime instructions (SKILL.md) and the included script only direct the agent to form POST requests to the LinkFox tool gateway and present returned bibliographic fields. They do not instruct reading arbitrary local files, scraping unrelated credentials, or sending data to unexpected third-party endpoints. The docs do reference a separate feedback endpoint (skill-api.linkfox.com) for user feedback; it is documented as separate from the tool API.
Install Mechanism
There is no install spec (instruction-only skill) and the included Python script is lightweight and self-contained. Nothing is downloaded from arbitrary URLs or installed automatically, so installation risk is low.
!
Credentials
The skill legitimately needs one API credential (LINKFOXAGENT_API_KEY) to call the tool gateway; that is proportionate to the functionality. The concern is that the skill manifest/registry did not declare any required environment variables while both references/api.md and scripts/zhihuiya_simple_bibliography.py require LINKFOXAGENT_API_KEY. This discrepancy can mislead users and automated permission reviewers. No other unrelated credentials are requested.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system config, and has no elevated persistence requirements. It runs network calls only when invoked.
What to consider before installing
This skill appears to implement the described patent-bibliography lookup via LinkFox's Zhihuiya gateway and the included Python script is straightforward. However, the package metadata omitted that the skill requires an API key. Before installing or enabling the skill: (1) Confirm you trust the domain tool-gateway.linkfox.com and the LinkFox publisher; (2) expect to supply LINKFOXAGENT_API_KEY (an API secret) — do not reuse other sensitive keys; (3) ask the publisher or registry maintainer to update the manifest to declare the required env var so permission prompts are accurate; (4) if you want to test, run the included script in an isolated environment and avoid exposing other credentials; and (5) if you are uncertain about the publisher, avoid setting the API key in shared environments. If the missing env-var declaration is corrected and the endpoint is trustworthy, the skill looks coherent and not overtly malicious.

Like a lobster shell, security has layers — review code before you run it.

latestvk971trbv7h3z9btsm07fvt2znn84342a

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments