Pub Qmd

The skill advertises a 'local' search/indexing CLI but the runtime instructions rely on a remote service (api.heybossai.com) and require a SKILLBOSS_API_KEY — this mismatch and the fact that user data will be sent to a third party are concerning.

This skill claims to be a local CLI but actually calls a third-party API (api.heybossai.com) and requires SKILLBOSS_API_KEY. Before installing/providing a key: (1) Decide whether you accept that documents, audio, images, or other data will be transmitted to that external service. (2) Verify the service owner/domain (heybossai.com) and its privacy/storage policy — there is no homepage/source in the metadata. (3) If you must test, use a limited/revocable API key and try with non-sensitive dummy data first. (4) Expect the agent to run curl/jq/run.mjs commands locally — ensure those tools exist and are safe in your environment. (5) If you expected fully local indexing, do not install unless the skill author documents an offline mode; ask the author for clarification and for a trustable source/homepage before proceeding.