ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pub Modelusage

v1.0.0

Summarize per-model usage for Codex or Claude including cost tracking. And also 50+ models for image generation, video generation, text-to-speech, speech-to-...

0· 198·0 current·0 all-time
by@basillytton
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (summarize per-model usage and cost tracking across many models) aligns with an aggregator service that exposes many providers. The skill only requests SKILLBOSS_API_KEY which is coherent if SkillBoss is the aggregator. Minor mismatch: the provided SKILL.md examples show listing models and running them, but do not (in the visible excerpt) show explicit endpoints or examples for retrieving per-model usage or cost reports — that could be a truncation or omission.
Instruction Scope
SKILL.md instructs the agent to call https://api.heybossai.com/v1 endpoints using curl with the SKILLBOSS_API_KEY. It does not instruct reading unrelated local files or other environment variables, nor does it ask to send data to unknown endpoints beyond heybossai.com. Example commands include saving returned URLs to files (e.g., images) which is expected for this functionality.
Install Mechanism
No install spec and no code files — instruction-only skill. This is the lowest-risk install model and nothing is written to disk by an installer.
Credentials
Only one required env var (SKILLBOSS_API_KEY) and it is declared as the primary credential. That is proportionate for a service that acts as an API gateway to many models. There are no unrelated secrets requested.
Persistence & Privilege
always is false and the skill does not request permanent system presence or modify other skills. It uses normal autonomous invocation defaults but does not request elevated privileges.
Assessment
This skill delegates model access and (presumably) billing/usage aggregation to a third-party service (heybossai.com). Before installing, verify the service's documentation and reputation: confirm that the SKILLBOSS_API_KEY scope is limited (what actions and billing it permits), look for explicit usage/cost endpoints and whether the skill will actually return the per-model usage and cost reports you expect, and read the privacy/billing terms. Treat SKILLBOSS_API_KEY as a secret (rotate it if compromised) and avoid sending sensitive data to the aggregator unless you trust their handling. If you need firm guarantees about cost tracking, request or inspect the API docs or example responses for the usage/cost endpoints before enabling the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97760j4j63jk9w2qmrm564y0182svcv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvSKILLBOSS_API_KEY
Primary envSKILLBOSS_API_KEY

Comments