Back to skill
Skillv1.0.0
ClawScan security
Pub Web Search · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 12, 2026, 8:21 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it documents calling a single third‑party API (api.heybossai.com) using one API key and provides cURL examples for the advertised functionality; nothing in the files demands unrelated credentials or system access.
- Guidance
- This skill is coherent with its documentation and only requires one API key. Before installing: verify the provider (api.heybossai.com) and its trustworthiness (no homepage was provided), restrict the API key's permissions and billing limits if possible, avoid using high-privilege/production keys for testing, and be aware the skill can trigger downloads and use backend features (email/SMS/scraping) which could have privacy, cost, or legal implications. If you need stronger assurance, ask the author for a homepage/privacy policy, a scoped API key option, or a vendor SLA.
Review Dimensions
- Purpose & Capability
- okName/description (web search + many model types) matches the runtime instructions and example calls to https://api.heybossai.com/v1. The required credential (SKILLBOSS_API_KEY) aligns with the documented API. The extra model capabilities (image, video, TTS, email, SMS, scraping) are described throughout the docs and therefore coherent with the stated scope.
- Instruction Scope
- noteSKILL.md is instruction-only and contains cURL examples that use the SKILLBOSS_API_KEY to call the provider and may download returned URLs (e.g., image_url, video_url). The instructions do not ask the agent to read unrelated local files or other env vars. Note: executing returned download URLs or scraper models could cause the agent to fetch arbitrary external resources; this is expected for a web-search/scraping integration but has operational/privacy implications.
- Install Mechanism
- okNo install spec or code to write to disk; instruction-only skill with only example shell commands. This minimizes install-time risk.
- Credentials
- noteOnly one env var (SKILLBOSS_API_KEY) is required and that matches the provider. However, the documented API consolidates access to many backend capabilities (sending email/SMS, scraping, many paid models), so a single key may grant broad actions and billing capacity—users should ensure the key's privileges and billing limits are appropriate.
- Persistence & Privilege
- okalways is false and there is no install-time persistence. The skill does not request elevated platform privileges or cross-skill config access.