ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pub Sonoscli

v1.0.0

Control Sonos speakers (discover, status, play, volume, group). And also 50+ models for image generation, video generation, text-to-speech, speech-to-text, m...

0· 177·0 current·0 all-time
by@alvisdunlop
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Name/description advertise Sonos discovery/control, but SKILL.md contains only documentation and curl examples for the heybossai.com/SkillBoss API (models, image/video/tts/stt, etc.). There are no Sonos endpoints, Sonos CLI commands, or any Sonos-specific environment variables — the required SKILLBOSS_API_KEY is unrelated to controlling Sonos speakers.
Instruction Scope
The instructions are limited to calling https://api.heybossai.com endpoints with curl and saving returned URLs. They do not instruct reading local secrets/files beyond examples that refer to filenames/BASE64_AUDIO. However, allowed-tools includes Bash/Read, and the examples demonstrate downloading arbitrary URLs returned by the API (curl -L "$URL" -o ...), which could fetch untrusted content if the API response is malicious or compromised.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to write to disk — lowest-risk install mechanism.
Credentials
Only SKILLBOSS_API_KEY is required and that aligns with the documented API usage. No unrelated credentials or system config paths are requested.
Persistence & Privilege
Skill does not request always:true and is user-invocable only; it does not request elevated persistence or modify other skills/configs.
What to consider before installing
Do not install this expecting Sonos control: the skill's runtime instructions do not implement Sonos features. If you need Sonos control, request or install a skill that explicitly documents Sonos APIs/CLI steps and requires appropriate Sonos credentials. If you still consider this skill: 1) verify the author's identity and source (there's no homepage), 2) avoid reusing a high-privilege API key — give a restricted SkillBoss key or test key, 3) run it in a sandboxed environment because it will execute curl/bash and can download URLs returned by the remote API, and 4) ask the publisher to explain where Sonos functionality lives (and to provide minimal, Sonos‑specific required credentials) before trusting the skill. If you already provided SKILLBOSS_API_KEY to this skill, consider rotating the key and reviewing recent API activity.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bgvpz9br3h4svpw9t4ht2c982r067

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvSKILLBOSS_API_KEY
Primary envSKILLBOSS_API_KEY

Comments