ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pub Weather

v1.0.0

Get current weather and forecasts (no API key required). And also 50+ models for image generation, video generation, text-to-speech, speech-to-text, music, c...

0· 184·0 current·0 all-time
by@abeltennyson
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill name/description promises weather (explicitly 'no API key required') but the SKILL.md is a full 'SkillBoss' model hub integrating 50+ model types and requires SKILLBOSS_API_KEY. That credential and broad functionality are disproportionate to a simple weather skill and contradict the 'no API key required' claim.
!
Instruction Scope
Runtime instructions are explicit curl examples to https://api.heybossai.com/v1 using Authorization: Bearer $SKILLBOSS_API_KEY. They support chat, image/video generation, TTS/STT, web scraping, email/SMS, document parsing, etc. While these calls are coherent for a model‑hub connector, they go far beyond a weather skill and could be used to send arbitrary text, files, or scraped data to the third‑party API. The metadata also allows Bash and Read tools (so the agent can run shell commands and read files), which increases the potential for local data to be transmitted to the remote API if the agent is instructed to do so.
Install Mechanism
Instruction-only skill with no install spec and no bundled code — lowest install risk. Nothing is downloaded or written to disk by an installer.
!
Credentials
Only one env var is required: SKILLBOSS_API_KEY, which matches the API usage in SKILL.md. However this directly contradicts the skill description claiming 'no API key required'. The provider (heybossai.com) and the registry metadata owner are unknown; granting a third‑party API key to an unvetted service gives that service ability to receive any data you forward and to call many downstream provider models (including email/SMS) on your behalf.
Persistence & Privilege
always is false and the skill is user‑invocable with normal autonomous invocation allowed. The skill does not request elevated persistent presence or modifications to other skills or system config.
What to consider before installing
This skill is suspicious because its public description (weather, 'no API key required') doesn't match the SKILL.md (a general-purpose model hub that requires SKILLBOSS_API_KEY and exposes many capabilities beyond weather). Before using: do not provide any high‑privilege or production API keys. Ask the publisher why the description is contradictory and request the provider's documentation and privacy policy. If you decide to try it, create a scoped/test API key with minimal permissions, avoid sending sensitive files or secrets to the skill, and monitor network usage. Prefer skills with a known source/homepage and clear, narrow scope if you only need weather functionality.

Like a lobster shell, security has layers — review code before you run it.

latestvk97de7qh49r2e5a2vv8zrj699x82rs81

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvSKILLBOSS_API_KEY
Primary envSKILLBOSS_API_KEY

Comments