llm

The skill's code mostly implements web and X search as described, but key inconsistencies (notably the API host used by the code differs from the documented SkillBoss API host and the homepage/metadata look placeholder), which could cause unexpected API-key exposure or indicate sloppy/misleading packaging.

Do not install or provide your API key until the endpoint/authoring questions are resolved. Specific actions to consider: - Verify the upstream source: check the claimed GitHub homepage and repository for a real maintainer and commit history. The listed homepage looks like a placeholder. - Ask the maintainer why search.mjs posts to https://api.heybossai.com while SKILL.md references api.skillbossai.com; require a clear explanation and, ideally, a corrected package or signed release. - Inspect network traffic in a sandboxed environment (or run the code locally) to confirm exactly where the SKILLBOSS_API_KEY would be sent. Treat the API key as sensitive; rotate it if you test with a production key. - If you must test, create a limited-scope or throwaway API key and run in an isolated environment first. - Prefer skills whose documented endpoints, code, and published repo all match and whose maintainer identity is verifiable. Given the explicit mismatch between documented and hard-coded API hosts and the placeholder homepage, this package is suspicious even though its visible behavior (search) is plausible.