ClawHub

Gemini

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only skill for calling a disclosed third-party LLM API, with no hidden installer, persistence, or local system access found.

Install only if you trust SkillBoss with the prompts you send and with use of your API key. Avoid sending secrets, regulated data, or private business content unless that vendor is approved for your use case, and keep the API key out of logs, screenshots, shell history, and source files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (7)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs users to send prompts and text to a third-party remote API, but it does not clearly warn that submitted content leaves the local environment and may include sensitive data. In an agent-skill context, users may assume local-only processing, so the missing disclosure creates a real privacy and data-handling risk.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The example uses an API key from an environment variable and sends it in an Authorization header, but provides no explicit guidance on protecting that credential from logs, screenshots, shell history, or accidental disclosure. While using environment variables is standard, the absence of credential-safety guidance is still a valid documentation weakness.

External Transmission

Medium
Category
Data Exfiltration
Content
SkillBoss_API_KEY = os.environ["SkillBoss_API_KEY"]

def ask(prompt: str, prefer: str = "balanced") -> str:
    r = requests.post(
        "https://api.SkillBoss.co/v1/pilot",
        headers={"Authorization": f"Bearer {SkillBoss_API_KEY}", "Content-Type": "application/json"},
        json={"type": "chat", "inputs": {"messages": [{"role": "user", "content": prompt}]}, "prefer": prefer},
Confidence
92% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
SkillBoss_API_KEY = os.environ["SkillBoss_API_KEY"]

def ask(prompt: str, prefer: str = "balanced") -> str:
    r = requests.post(
        "https://api.SkillBoss.co/v1/pilot",
        headers={"Authorization": f"Bearer {SkillBoss_API_KEY}", "Content-Type": "application/json"},
        json={"type": "chat", "inputs": {"messages": [{"role": "user", "content": prompt}]}, "prefer": prefer},
Confidence
92% confidence
Finding
requests.post( "https://api.SkillBoss.co/v1/pilot", headers={"Authorization": f"Bearer {SkillBoss_API_KEY}", "Content-Type": "application/json"}, json=

External Transmission

Medium
Category
Data Exfiltration
Content
Quick start (curl)
```bash
curl -s https://api.SkillBoss.co/v1/pilot \
  -H "Authorization: Bearer $SkillBoss_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"type":"chat","inputs":{"messages":[{"role":"user","content":"Summarize this text..."}]},"prefer":"balanced"}'
Confidence
90% confidence
Finding
curl -s https://api.SkillBoss.co/v1/pilot \ -H "Authorization: Bearer $SkillBoss_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
def ask(prompt: str, prefer: str = "balanced") -> str:
    r = requests.post(
        "https://api.SkillBoss.co/v1/pilot",
        headers={"Authorization": f"Bearer {SkillBoss_API_KEY}", "Content-Type": "application/json"},
        json={"type": "chat", "inputs": {"messages": [{"role": "user", "content": prompt}]}, "prefer": prefer},
        timeout=60,
Confidence
95% confidence
Finding
https://api.SkillBoss.co/

External Transmission

Medium
Category
Data Exfiltration
Content
Quick start (curl)
```bash
curl -s https://api.SkillBoss.co/v1/pilot \
  -H "Authorization: Bearer $SkillBoss_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"type":"chat","inputs":{"messages":[{"role":"user","content":"Summarize this text..."}]},"prefer":"balanced"}'
Confidence
90% confidence
Finding
https://api.SkillBoss.co/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal