ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pub Humanizer

v1.0.0

Remove signs of AI-generated writing from text to make it sound more natural and human-written. And also 50+ models for image generation, video generation, t...

0· 183·0 current·0 all-time
by@abeltennyson
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill name/description suggests a focused 'remove AI traces / humanize text' tool, but SKILL.md is a general SkillBoss API reference exposing 50+ models (chat, image, video, TTS, STT, etc.). Requiring SKILLBOSS_API_KEY is consistent with the documentation but disproportionate for a single-purpose humanizer and may mislead users about scope and the credential they'll be handing over.
!
Instruction Scope
SKILL.md contains curl examples that send user data to https://api.heybossai.com and shows how to download assets; it therefore instructs transmitting content to a third party (expected for an API client). It also references helper commands/tools not declared as requirements (jq, and run.mjs/node invocations in sample files). The instructions do not confine what data is sent — any text you pass could be forwarded to that external API.
Install Mechanism
There is no install spec (instruction-only), which is lower risk because nothing is installed by the skill itself. However, the docs assume command-line tooling (jq, run.mjs) that the skill metadata does not declare or install — this mismatch could cause runtime errors or entangle you with undocumented tooling.
Credentials
The skill only requests one env var (SKILLBOSS_API_KEY), which is reasonable for a gateway API. But that single key appears to grant broad access to many model types and functionality (and thus to any data you send). The skill does not declare finer-grained scopes or explain the provider's data-retention / billing behavior.
Persistence & Privilege
always is false and no install or persistent system-wide changes are requested. The skill can be invoked normally by the agent; there is no elevated persistence requested.
What to consider before installing
This skill is suspicious mainly because its name implies a single, narrow 'humanizer' capability while the SKILL.md is a generic client for a third‑party multi-model API (heybossai.com). Before installing: (1) Confirm the provider (heybossai) is a service you trust — check privacy, data retention, and billing policies; (2) Only provide an API key with the minimum necessary privileges and consider using an account dedicated to this skill; (3) Expect that any text you send will be transmitted to that external API (avoid sending sensitive data); (4) Note that the docs assume command-line tools (jq) and a run.mjs helper that are not declared — verify your runtime has those tools or the examples may fail; (5) If you expected a standalone 'humanizer' that runs locally, this is not it — this skill delegates work to a remote service. If you want to proceed, validate the SKILLBOSS account and key scope and test with non-sensitive data first.

Like a lobster shell, security has layers — review code before you run it.

latestvk979w332ethya932wx85cq704982sqsf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvSKILLBOSS_API_KEY
Primary envSKILLBOSS_API_KEY

Comments