LinkFox Market Research

v1.0.0

亚马逊市场调研报告。用户给出类目名称和节点 ID，自动生成完整 HTML 报告（市场概览、价格、REVIEW、品牌、卖家、竞品 8 个维度）。触发词：市场调研、市调、market research、分析这个类目。

⭐ 0· 85·0 current·0 all-time

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for jiafar/linkfox-market-research.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "LinkFox Market Research" (jiafar/linkfox-market-research) from ClawHub.
Skill page: https://clawhub.ai/jiafar/linkfox-market-research
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install linkfox-market-research

ClawHub CLI

Package manager switcher

npx clawhub@latest install linkfox-market-research

Security Scan

VirusTotal

Pending

View report →

OpenClaw

Suspicious

medium confidence

Purpose & Capability

The skill's code (linkfox.py, run_task.sh, market-research.sh) legitimately implements submitting tasks to a LinkFoxAgent API and assembling reports, which matches the description. However, the registry metadata lists no required environment variables or primary credential while SKILL.md and linkfox.py require LINKFOXAGENT_API_KEY — this metadata omission is an incoherence and could lead users to install without providing the required credential or without realizing network calls will be made.

Instruction Scope

SKILL.md tells the agent to exec market-research.sh which runs run_task.sh and linkfox.py. The scripts download report URLs via curl and then merge the returned HTMLs. merge_html.py preserves external <link> and <script src=> references and injects them into the merged file, so opening the output will cause the user's browser to fetch and execute remote resources. The scripts also do no content sanitization or validation of downloaded HTML. These behaviors go beyond simple local formatting and introduce remote resource execution and potential content injection risk.

✓

Install Mechanism

There is no install spec and no external installers — the skill is instruction/code-only. Nothing is downloaded at install time. The runtime does perform network I/O to LinkFoxAgent and to report URLs, which is expected for this purpose.

Credentials

The runtime requires LINKFOXAGENT_API_KEY (linkfox.py exits if it's not set) and network access, but the registry metadata does not declare this. Additionally market-research.sh writes to REPORT_DIR under /tmp and sets OUTPUT_DIR="$WORKSPACE/output" — WORKSPACE is not declared and may be empty, causing output to be created at /output (root) or an unexpected location. The number and sensitivity of environment references is small and proportional to the skill's purpose, but the missing declaration and the undefined WORKSPACE usage are problematic.

✓

Persistence & Privilege

The skill does not request always: true and will not be force-installed. It does not modify other skills. It runs as-invoked and writes outputs under /tmp and the configured output directory; this is typical for CLI-style skills.

What to consider before installing

Key things to consider before installing: - Metadata mismatch: the skill's SKILL.md and linkfox.py require LINKFOXAGENT_API_KEY, but the registry metadata does not declare any required env vars. Treat the API key as required — do not provide high-privilege credentials without verifying the service. - Remote content execution: the workflow downloads HTML reports and merges them while preserving external CSS/JS references. Opening the final HTML will cause the browser to fetch and run remote resources. Only open the report if you trust agent-api.linkfox.com and the domains hosting the report files. - Check the endpoint: linkfox.py posts to https://agent-api.linkfox.com/ with your API key in the Authorization header. Verify that domain and the service before supplying a key. - Workspace bug: market-research.sh uses OUTPUT_DIR="$WORKSPACE/output" but WORKSPACE is not defined anywhere. If WORKSPACE is empty this may create /output at the filesystem root or otherwise place files in unexpected locations — run in a sandbox or inspect scripts first. - Least privilege: if you decide to provide an API key, use a dedicated key/account with minimal permissions and monitor its usage. - Sandboxing: run the scripts in an isolated environment (container or VM) the first time to observe network calls and file writes. Inspect downloaded HTML before opening in a browser or open it offline (block network) if you want to avoid remote JS execution. - If you need clarity: ask the publisher for an explicit list of required env vars, exact domains the skill will contact, and whether returned HTML is sanitized. The metadata omission and embedding of external scripts are the main reasons this skill is flagged as suspicious.

Like a lobster shell, security has layers — review code before you run it.

amazonvk971k8xwjkkt029net9xf0t6cx83pn2cecommercevk971k8xwjkkt029net9xf0t6cx83pn2clatestvk971k8xwjkkt029net9xf0t6cx83pn2clinkfoxvk971k8xwjkkt029net9xf0t6cx83pn2cmarket-researchvk971k8xwjkkt029net9xf0t6cx83pn2cproduct-researchvk971k8xwjkkt029net9xf0t6cx83pn2c

85downloads

0stars

1versions

Updated 1mo ago

v1.0.0

MIT-0

亚马逊市场调研报告

用户给出类目名称 + 节点 ID，一条命令生成完整报告。

触发方式

用户说出类目名和节点 ID 即可，例如：

"Deck Boxes, 671804011"
"帮我调研 Salon Chairs 15144890011"
"市调一下 671804011"

执行

exec(
  command='bash {baseDir}/scripts/market-research.sh "类目名称" 节点ID',
  background=true,
  timeout=600
)

等 process poll 完成后，用 open 打开输出的报告文件。

输出

文件：output/{类目名}-market-report.html
内容：8 个分析维度（市场概览、上架时间、价格、REVIEW、品牌、卖家、竞品Top10、总体评价）
格式：带左侧导航的单页 HTML，含表格和图表
耗时：约 3-5 分钟

前置条件

环境变量 LINKFOXAGENT_API_KEY 已设置
Python 3 可用
网络可访问 LinkFox Agent API

Comments

Loading comments...