Pub Humanizer
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a broad SkillBoss API gateway under a humanizer label, requiring a bearer API key and exposing high-impact actions like email and SMS, so users should review its scope before use.
Install only if you intend to use a broad SkillBoss API gateway, not just a text humanizer. Use a limited or spend-capped API key, require explicit confirmation for email/SMS/batch or file-upload actions, avoid sending sensitive data unless acceptable, and do not use any missing helper script such as run.mjs unless you can verify it.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked incorrectly, the agent could send messages, trigger batches, or incur provider costs under the user's API key.
These documented actions can send outbound emails or SMS messages, including batch sends. The artifacts do not state confirmation, recipient-validation, rate, or cost controls for those high-impact actions.
| `email/send` | Send single email | | `email/batch` | Send batch emails | | `prelude/notify-send` | Send SMS notification | | `prelude/notify-batch` | Batch SMS notifications |
Require explicit user confirmation before any email, SMS, batch, storage, or other externally visible action, and use provider-side limits where available.
Compromise or misuse of this key could allow broad API usage, costs, or actions across the SkillBoss account.
The skill requires a bearer credential that can call a wide set of provider-backed actions. The artifacts do not describe narrowed scopes, spending limits, or separate credentials for high-impact functions.
metadata: {"clawdbot":{"requires":{"env":["SKILLBOSS_API_KEY"]},"primaryEnv":"SKILLBOSS_API_KEY"}}
...
Auth: `-H "Authorization: Bearer $SKILLBOSS_API_KEY"`
...
One API key, 50+ models across providers ... Call any model directly by IDUse a limited, revocable, spend-capped key if possible, and do not expose a high-privilege production key to routine agent sessions.
Private prompts, files, audio, or document contents may leave the local environment and be processed by the external service.
The skill sends user-provided content such as audio, documents, prompts, or images to an external provider API for processing. This is expected for the stated integrations, but it is sensitive-data handling users should notice.
Base URL: `https://api.heybossai.com/v1`
...
Speech-to-Text ... "inputs": {"audio_data": "BASE64_AUDIO", "filename": "recording.mp3"}Avoid sending confidential data unless the provider's data-handling terms are acceptable, and ask for confirmation before uploading files or media.
Those examples may not work as written, or a user might fetch an unreviewed helper from elsewhere.
The documentation references a run.mjs helper, but the provided manifest contains only markdown files and no install spec or helper source, so that helper's behavior is not reviewable here.
run.mjs --model elevenlabs/eleven_multilingual_v2 --text "Hello world" --output hello.mp3 run.mjs --model openai/whisper-1 --file recording.m4a
Prefer the documented curl calls or only use a helper script if its source and provenance are reviewed and trusted.