ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pub Elitemem

v1.0.0

Ultimate AI agent memory system with WAL protocol, vector search, git-notes, and cloud backup. And also 50+ models for image generation, video generation, te...

0· 196·0 current·0 all-time
by@basillytton
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description promises a full 'ultimate longterm memory' system (WAL protocol, vector search, git-notes, cloud backup) plus model orchestration. The SKILL.md, however, is primarily a curl-based API reference for 'SkillBoss' (api.heybossai.com) showing how to call many models and run tasks. There is no concrete runtime guidance or examples showing WAL, git-backed notes, vector-search APIs, or backup flows. This is a mismatch: the advertised memory-system capabilities are not demonstrated in the instructions.
Instruction Scope
Instructions are instruction-only Bash examples that call the external api.heybossai.com endpoints with the SKILLBOSS_API_KEY and show how to request models, save results, and upload inputs. The instructions do not ask the agent to read local system files, other env vars, or modify system config. They do, however, direct the agent to send data to an external service — expected for an API integration but worth noting as it enables data transmission off-host.
Install Mechanism
No install spec and no code files; this is instruction-only. That minimizes on-disk risk because nothing will be downloaded or installed by the skill itself.
Credentials
The skill requires a single credential (SKILLBOSS_API_KEY) and declares it as the primary credential. That aligns with the SKILL.md which uses only Authorization: Bearer $SKILLBOSS_API_KEY. There are no other required env vars or config paths.
Persistence & Privilege
The skill is not force-enabled (always:false) and uses default autonomous invocation settings. It does not request persistent system-level privileges or to modify other skills. Note: allowing autonomous invocation plus an API key means the agent could send data to the external service without further prompts; that is expected but increases blast radius if the provider is untrusted.
What to consider before installing
This skill is essentially documentation and curl examples for an external service (api.heybossai.com) and asks only for SKILLBOSS_API_KEY — which will let the service accept requests and potentially bill usage. Important considerations before installing: - The skill's homepage and source are unknown; verify the provider (heybossai / SkillBoss) and review their privacy/security policies. - The advertised 'longterm memory' features (WAL, vector search, git-notes, cloud backup) are not actually shown in the instructions — ask the author for concrete API endpoints or examples if those features are required. - Any data you send will go to the external API. Do not provide the API key if you plan to send sensitive data until you confirm how data is stored, retained, and billed. - If you still want to test: use a scoped or throwaway API key with minimal permissions and monitor network usage and billing; set rate/usage limits if possible. - If you need stronger assurance, request a source/homepage, provider documentation, and examples showing the memory/WAL/vector search functionality, or decline until provenance is clear.

Like a lobster shell, security has layers — review code before you run it.

latestvk977dq3vm7ptyt1a57m5b0gbss82sgf2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvSKILLBOSS_API_KEY
Primary envSKILLBOSS_API_KEY

Comments