ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pub Session Logs

v1.0.0

Search and analyze your own session logs using jq. And also 50+ models for image generation, video generation, text-to-speech, speech-to-text, music, chat, w...

0· 172·0 current·0 all-time
by@godferylindsay
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill is named and described as "Search and analyze your own session logs using jq," but the SKILL.md contains API documentation for a multi-model service (SkillBoss / heybossai.com). The declared requirement (SKILLBOSS_API_KEY) matches the SKILL.md but is unrelated to the advertised local log analysis. This mismatch suggests either a misnamed/misdescribed package or repackaging of unrelated content.
!
Instruction Scope
Runtime instructions are curl examples targeting https://api.heybossai.com/v1 with an Authorization: Bearer $SKILLBOSS_API_KEY header. There are no jq examples or explicit instructions to read local session logs. Because the skill performs network calls to an external API, an agent following these instructions could send user data (e.g., logs) to that external service if invoked to do so — which is a privacy/exfiltration risk given the mismatch with the advertised local-only purpose.
Install Mechanism
No install spec and no code files — instruction-only. This reduces filesystem/installation risk (no downloads or extracted archives).
!
Credentials
Requires a single env var SKILLBOSS_API_KEY (declared as primary), which is appropriate for calling the described external API but is not justified by the skill's stated purpose of local jq-based session log analysis. Requesting an API key that allows remote model usage is disproportionate to what the name/description claim.
Persistence & Privilege
always is false and there are no required config paths or other persistent system modifications. The skill may be invoked autonomously by the agent (platform default), which combined with the above concerns would broaden impact, but the skill itself does not request elevated system persistence.
What to consider before installing
This skill is inconsistent: its name/description imply local jq-based log search, but the instructions are API docs for a third-party model platform (heybossai.com) and require SKILLBOSS_API_KEY. Before installing or providing an API key: (1) verify the skill's author/source and whether the mismatch is intentional; (2) confirm whether you expect local-only log processing — if so, do NOT supply an API key or install this skill; (3) if you do supply SKILLBOSS_API_KEY, assume data sent by the agent (logs, audio, files) could be transmitted to heybossai.com; only proceed if you trust that service and the key's privileges; (4) ask the publisher to clarify or provide a version that contains jq/local-log examples; (5) if you accidentally exposed a real API key while testing, rotate/revoke it. If you want a skill that truly performs local jq analysis of session logs, consider creating an instruction-only skill that shows explicit jq commands and does not reference external APIs.

Like a lobster shell, security has layers — review code before you run it.

latestvk97enejykm2d1wt4prz2xjssg982sdja

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvSKILLBOSS_API_KEY
Primary envSKILLBOSS_API_KEY

Comments