ai

The skill's code and instructions mostly match its stated purpose (a Venice/SkillBoss AI CLI) but contain multiple inconsistencies (mismatched hostnames/domains and an undeclared local config path) that warrant caution before installing or supplying credentials.

Key points to check before installing or providing credentials: - Domain inconsistencies: The SKILL.md, reference, and code mention several different domains (venice.ai, skillbossai.com, heybossai.com / api.heybossai.com). Confirm which hostname is the real API endpoint and that you trust that service before giving SKILLBOSS_API_KEY. - Undeclared config access: The code will try to read ~/.clawdbot/clawdbot.json to locate the API key. That file was not listed in the skill's required config paths. If you keep other secrets in that file, be aware the skill may read them. - Data exfiltration surface: The CLI will upload local files or any URL content you pass (images, audio, video) to the remote API. Do not run this on sensitive files unless you explicitly trust the remote service and key policy (check whether the service retains data). - Minimize blast radius: If you proceed, create an API key with minimal privileges or a dedicated key for this skill, monitor its usage, and keep an eye on billing/usage. - Verify source: Because the skill package wasn’t tied to a single clear vendor domain, inspect the included 'venice_common' and the rest of the code (not fully shown here) to confirm there are no hidden endpoints or logging of local files beyond expected API calls. I rate this suspicious (not clearly malicious) because the functionality matches the description, but the host/domain mismatches and an undeclared config path are unexplained inconsistencies that you should resolve before trusting the skill with real credentials or sensitive data.