ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Junglescout Product Database

v1.0.0

Jungle Scout产品数据库多条件筛选,支持按品类、价格、销量、收入、评论、评分、重量、BSR排名、LQS、卖家类型等维度筛选亚马逊商品,覆盖10个站点。当用户提到亚马逊选品、产品数据库筛选、BSR排名筛选、品类选品、高评分低竞争选品、FBA选品、亚马逊商品搜索、产品筛选、Amazon product da...

0· 19·0 current·0 all-time
by@linkfox-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description and runtime instructions consistently describe querying a Jungle Scout product database via the LinkFox tool gateway (tool-gateway.linkfox.com). The included script and API reference match this purpose. However, the skill metadata declares no required environment variables while the code and docs clearly require LINKFOXAGENT_API_KEY, which is a mismatch between claimed requirements and actual needs.
Instruction Scope
SKILL.md and references focus on building API queries, result display rules, pagination, and error handling. The instructions do not ask the agent to read unrelated files or system credentials. They do reference a separate feedback endpoint (skill-api.linkfox.com) and give templates for feedback payloads — this could cause transmission of user-provided text if feedback is used, but the instructions do not appear to instruct automatic exfiltration.
Install Mechanism
No install spec — instruction-only plus a small helper script. Nothing is downloaded or extracted at install time, which reduces risk.
!
Credentials
The runtime code and API docs require an API key read from the environment variable LINKFOXAGENT_API_KEY, but the skill metadata lists no required env vars or primary credential. This omission is significant: it hides the fact that a secret API key is needed and used to authenticate requests to a third-party service. Additionally, the references show a feedback API that asks for 'content' fields (user text), which could transmit user input to skill-api.linkfox.com if used.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and has no config path requirements. It runs as an on-demand tool and does not demand elevated persistence.
What to consider before installing
This skill largely does what it claims (querying a product database via LinkFox), but it actually requires an API key (environment variable LINKFOXAGENT_API_KEY) even though the skill metadata doesn't declare it — treat that as a red flag. Before installing: 1) Verify you trust the LinkFox domains (tool-gateway.linkfox.com and skill-api.linkfox.com) and the skill owner; 2) Confirm where and how you'll store the LINKFOXAGENT_API_KEY (environment variable) and whether that key grants access to sensitive data; 3) Understand that queries and optional feedback payloads will be sent to third-party servers (they may include user-provided search terms or other text); 4) Ask the publisher to update the skill metadata to explicitly list required env vars and clarify privacy/usage of feedback; and 5) Avoid sending sensitive or confidential product ideas or proprietary data through this skill unless you fully trust the service.

Like a lobster shell, security has layers — review code before you run it.

latestvk9706xg2ygq6jeyg4pctvjefpx850mw8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments