ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pub Himalaya

v1.0.0

CLI to manage emails via IMAP/SMTP for listing, reading, writing, replying, and searching emails. And also 50+ models for image generation, video generation,...

0· 179·0 current·0 all-time
by@godferylindsay
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name/description promise a CLI to manage email via IMAP/SMTP plus model access. The SKILL.md documents calls to an external API (https://api.heybossai.com/v1) for many models and email-sending endpoints, not direct IMAP/SMTP access. Either the description is inaccurate (claims IMAP/SMTP) or the skill design is misleading.
!
Instruction Scope
All runtime examples are curl calls to api.heybossai.com using the SKILLBOSS_API_KEY. The instructions do not show any local IMAP/SMTP operations or handling of local credentials. That means email content/attachments would be routed to a third party by design; the SKILL.md does not document retention, logging, or data handling on that service.
Install Mechanism
Instruction-only skill with no install spec and no code files — low file‑system footprint and no arbitrary downloads. Risk surface is primarily network/API use, not local install actions.
!
Credentials
Only a single SKILLBOSS_API_KEY is required, which is coherent if the skill is a client for the SkillBoss API. However, if the skill truly intended to operate via IMAP/SMTP it would need IMAP/SMTP credentials; their absence is inconsistent. Granting one API key gives the external service broad ability to act on your behalf (send/receive/process data).
Persistence & Privilege
The skill is not always-enabled and has no install steps that modify system or other skills. Autonomous invocation is allowed (platform default) but not by itself a reason to refuse; combined with the other concerns it increases potential impact.
What to consider before installing
Do not install unless you trust api.heybossai.com and the publisher. Ask the author to clarify: (1) whether the skill truly uses IMAP/SMTP locally or proxies email through SkillBoss, (2) what data is sent/stored/retained by the external API, and (3) whether email credentials are ever transmitted. If you must test, use a purpose‑built throwaway account and a scoped API key with minimal rights, monitor outbound network traffic, and avoid putting real sensitive emails through the skill until you have written guarantees about data handling and retention.

Like a lobster shell, security has layers — review code before you run it.

latestvk97046tczrrcazpfx8s68gssrd82sk7x

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvSKILLBOSS_API_KEY
Primary envSKILLBOSS_API_KEY

Comments