ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pub Byterover

v1.0.0

Knowledge management for AI agents. Store and retrieve project context before any work. And also 50+ models for image generation, video generation, text-to-s...

0· 175·0 current·0 all-time
by@alvisdunlop
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The description promises 'knowledge management' (store/retrieve project context) and 50+ models. The SKILL.md shows many model invocation endpoints (chat, image, video, TTS, STT, etc.) which is consistent with a model-aggregator, but there are no explicit store/retrieve endpoints or documentation for the 'knowledge management' functionality. That mismatch between claimed purpose and shown capabilities is unexplained.
!
Instruction Scope
Runtime instructions are cURL examples that send requests (and any payloads) to https://api.heybossai.com/v1 using the SKILLBOSS_API_KEY. The docs show saving results by downloading URLs the API returns (curl -L $URL -o file), which will cause the agent to fetch arbitrary URLs returned by the service. The SKILL.md also contains examples referencing jq and run.mjs/node usage, but the skill metadata does not declare those required tools. The doc is truncated in the package, leaving some behavior unclear.
Install Mechanism
This is instruction-only (no install spec), which is lower disk/write risk. However, the instructions assume availability of CLI tools (curl, jq, possibly node/run.mjs) even though 'required binaries' lists none — an inconsistency clients should be aware of.
Credentials
Only one credential (SKILLBOSS_API_KEY) is required and it's the primary credential used to call the documented API. That is proportionate to a third-party API client. Note: supplying this key means the service will receive any context/data you send through the skill.
Persistence & Privilege
always is false, no install or config paths are requested, and the skill does not request system-wide privileges. It does not ask to modify other skills or agent settings.
What to consider before installing
This skill directs the agent to send data to a third‑party API (api.heybossai.com) using the SKILLBOSS_API_KEY. Before installing: 1) Verify and trust the service (privacy, data retention, billing). 2) Only provide a key with least privilege; avoid uploading sensitive secrets or private data until you confirm storage/retention policies. 3) Note the SKILL.md assumes command-line tools (curl, jq, node/run.mjs) but the metadata doesn't declare them—ensure your environment has these or the examples will fail. 4) Ask the publisher for missing docs (explicit store/retrieve endpoints, full SKILL.md, and domain ownership). 5) If you suspect misuse, rotate the API key and stop using the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d5vz8rqjh1p34129ach40xh82swst

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvSKILLBOSS_API_KEY
Primary envSKILLBOSS_API_KEY

Comments