ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Linkfuse

v1.0.4

Create a Linkfuse affiliate short link from any URL. Trigger this skill when the user wants to create a Linkfuse link, shorten an affiliate URL, or says "/li...

0· 704·1 current·1 all-time
byOliver Weichhold@oliverw
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the implementation: the skill only needs a Linkfuse bearer token and posts to Linkfuse's API to create short links. No unrelated services, binaries, or config paths are requested.
Instruction Scope
SKILL.md accurately documents runtime behavior: it requires LINKFUSE_TOKEN, asks for a URL, runs the included Node script, and prints the resulting short URL. Instructions do not ask the agent to read unrelated files or exfiltrate extra data.
Install Mechanism
No install spec; this is instruction-only with two small included Node scripts. There are no downloads from untrusted URLs or archive extraction steps.
Credentials
Only LINKFUSE_TOKEN is required (declared). The token is necessary and sufficient for the described API calls; no other secrets, credentials, or config paths are requested.
Persistence & Privilege
always is false and the skill does not attempt to modify other skills or system settings. It does perform normal network calls to app.linkfuse.net using the provided token.
Assessment
This skill appears to do exactly what it says: it uses the LINKFUSE_TOKEN you provide to call Linkfuse's API and create a short/affiliate link. Before installing, ensure the token you provide is from https://app.linkfuse.net/user/external-token and is stored securely (don't commit it to repos or share shells). The skill will make network requests to app.linkfuse.net and prints results to stdout; it does not request other credentials or access unrelated files. If you have concerns, inspect the included scripts (they are small and readable) and consider using a limited/rotatable token you can revoke if needed.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🧠 Clawdis
EnvLINKFUSE_TOKEN
latestvk977tzj8s1mkcsrgt16qgm0evn81eg51
704downloads
0stars
5versions
Updated 7h ago
v1.0.4
MIT-0
Oliver Weichhold@oliverw
latest
Download

Linkfuse Skill

Creates an affiliate short link via the Linkfuse REST API — same API used by the Chrome and Firefox extensions.

Trigger Conditions

Use this skill when the user:

  • Says /linkfuse [url]
  • Asks to "create a Linkfuse link" for a URL
  • Wants to shorten an affiliate/Amazon URL via Linkfuse

Authentication

This skill reads the Bearer token exclusively from the LINKFUSE_TOKEN environment variable. If it is not set, tell the user:

LINKFUSE_TOKEN is not set. Get your token from https://app.linkfuse.net/user/external-token and add it to your environment:

export LINKFUSE_TOKEN=your_token_here

Then retry.

Do not proceed without a token.

Workflow

Step 1 — Get the URL

If the user did not provide a URL, ask for one before proceeding.

Step 2 — Create the link

node scripts/create-link.js --url "<url>"
  • Exit 0: stdout contains JSON { "url": "...", "title": "..." } — proceed to Step 3.
  • Exit 2 (Unauthorized): Tell the user their LINKFUSE_TOKEN is invalid or expired and they should update it.
  • Exit 1: Display the stderr error message to the user.

Step 3 — Display result

Show the user:

✓ Link created: <short-url>
  Title: <title>

Offer to copy the short URL to the clipboard:

echo -n "<short-url>" | xclip -selection clipboard 2>/dev/null || echo -n "<short-url>" | pbcopy 2>/dev/null || true

Notes

  • allowRecycle: true is sent with every request — if the same URL was shortened before, the existing link is returned rather than creating a duplicate.
  • The X-API-CLIENT: claude-skill header identifies this client to the server.

Comments

Loading comments...