Zhihuiya Simple Bibliography
PassAudited by ClawScan on May 10, 2026.
Overview
This skill appears to be a straightforward patent bibliography lookup that sends patent IDs or publication numbers to a documented LinkFox/Zhihuiya API, with a disclosed but under-declared API key requirement.
This skill looks safe for its stated purpose, but it depends on a LinkFox/Zhihuiya API key and sends patent lookup requests to LinkFox-hosted endpoints. Install it if you trust that provider and are comfortable sharing the specific patent numbers or IDs you query.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users need to provide and protect a LinkFox/Zhihuiya API key for the skill to work.
The script requires an API key from the environment and sends it as the Authorization header, while the registry metadata says there are no required environment variables or primary credentials. The credential use is expected for the patent API, but under-declared.
key = os.environ.get("LINKFOXAGENT_API_KEY")Only use a legitimate API key, avoid exposing it in chat or logs, and prefer metadata that explicitly declares LINKFOXAGENT_API_KEY as a required credential.
Patent numbers may be public, but the fact that a user is researching specific patents could still reveal business interests to the API provider.
Patent IDs or publication numbers and the API key are sent to an external LinkFox gateway. This is disclosed and central to the skill's purpose, but users should understand that their patent lookup queries go to that service.
请求地址:`https://tool-gateway.linkfox.com/zhihuiya/simpleBibliography` ... 认证方式:Header `Authorization: <api_key>`
Use the skill only for queries you are comfortable sending to the LinkFox/Zhihuiya API, and check provider terms if the searches are confidential.
If used, feedback submission could send parts of the user's request or intent to a separate LinkFox feedback service.
The reference file documents a separate feedback API that could include user statements or intent. The included script does not call this endpoint, so this is only an optional documented data flow rather than observed automatic behavior.
POST `https://skill-api.linkfox.com/api/v1/public/feedback` ... `content`: Include what the user said or intended
Do not submit feedback containing confidential user requests unless the user agrees; keep feedback content minimal and non-sensitive.