ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Linkfuse

v1.0.4

Create a Linkfuse affiliate short link from any URL. Trigger this skill when the user wants to create a Linkfuse link, shorten an affiliate URL, or says "/li...

0· 648·1 current·1 all-time
byOliver Weichhold@oliverw
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the implementation: the skill only needs a Linkfuse bearer token and posts to Linkfuse's API to create short links. No unrelated services, binaries, or config paths are requested.
Instruction Scope
SKILL.md accurately documents runtime behavior: it requires LINKFUSE_TOKEN, asks for a URL, runs the included Node script, and prints the resulting short URL. Instructions do not ask the agent to read unrelated files or exfiltrate extra data.
Install Mechanism
No install spec; this is instruction-only with two small included Node scripts. There are no downloads from untrusted URLs or archive extraction steps.
Credentials
Only LINKFUSE_TOKEN is required (declared). The token is necessary and sufficient for the described API calls; no other secrets, credentials, or config paths are requested.
Persistence & Privilege
always is false and the skill does not attempt to modify other skills or system settings. It does perform normal network calls to app.linkfuse.net using the provided token.
Assessment
This skill appears to do exactly what it says: it uses the LINKFUSE_TOKEN you provide to call Linkfuse's API and create a short/affiliate link. Before installing, ensure the token you provide is from https://app.linkfuse.net/user/external-token and is stored securely (don't commit it to repos or share shells). The skill will make network requests to app.linkfuse.net and prints results to stdout; it does not request other credentials or access unrelated files. If you have concerns, inspect the included scripts (they are small and readable) and consider using a limited/rotatable token you can revoke if needed.

Like a lobster shell, security has layers — review code before you run it.

latestvk977tzj8s1mkcsrgt16qgm0evn81eg51

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧠 Clawdis
EnvLINKFUSE_TOKEN

Comments