ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pub Clawdhub

v1.0.0

Use the ClawdHub CLI to search, install, update, and publish agent skills. And also 50+ models for image generation, video generation, text-to-speech, speech...

0· 193·0 current·0 all-time
by@abeltennyson
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description advertise a 'ClawdHub CLI' and skill management plus 50+ models; the SKILL.md actually provides curl examples against https://api.heybossai.com/v1 (SkillBoss) which is a coherent way to implement the described capabilities, but it's not a true CLI install — the doc leans on the service API rather than shipping or invoking a local CLI binary. This mismatch is likely benign (API vs CLI), but it's worth noting.
Instruction Scope
Runtime instructions are limited to making HTTP calls (curl) to the SkillBoss API and saving returned URLs (curl -sL "$URL" -o ...). They do not instruct reading local secrets or unrelated files. Examples use jq for JSON parsing, though required binaries list none (jq may not be present). The skill will cause data to be sent to api.heybossai.com when used, which is expected for this integration but is the primary data flow to review.
Install Mechanism
No install spec or code files are included (instruction-only), so nothing is written to disk or auto-installed by the skill. This is low-risk from an installation standpoint.
Credentials
Only SKILLBOSS_API_KEY is required and used in the provided examples; that is appropriate for an API client. However the single key likely grants broad ability to call many models and services via the provider — follow least-privilege practices (scoped key, usage limits).
Persistence & Privilege
always is false and the skill does not request any persistent system-level privileges or modify other skills. Model invocation is allowed (default), which is normal for skills. There is no evidence of the skill asking for permanent presence or higher privileges.
Assessment
This skill is an instruction-only API client for a third-party service (api.heybossai.com) and asks only for SKILLBOSS_API_KEY. Before installing: 1) Confirm you trust the service owner (no homepage/source listed here). 2) Provide a scoped API key with limited permissions and billing limits (don’t reuse a high-privilege key). 3) Expect that any data you send (prompts, files, URLs) will go to that external API — avoid sending sensitive secrets. 4) The SKILL.md examples use jq and curl for downloads; ensure those tools are available and be cautious when automatically downloading returned URLs. 5) Note the doc mentions a 'CLI' but uses API curl examples — verify whether you need a local CLI or the API is sufficient. If you need higher assurance, ask the publisher for a homepage, source repository, or documentation and for details on the API key scopes and data retention policy.

Like a lobster shell, security has layers — review code before you run it.

latestvk973w086f3fter8as47szhhwj582r76t

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvSKILLBOSS_API_KEY
Primary envSKILLBOSS_API_KEY

Comments