ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Imggen2

v1.1.0

Generate images from text prompts via API.

0· 254·0 current·0 all-time
by@marjoriebroad
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (generate images) matches the included script and the required binary (node). Requesting a single API key is plausible. However, SKILL.md points users to get a SKILLBOSS_API_KEY at skillboss.co while the bundled code calls api.heybossai.com — the relationship between those domains is not documented, reducing trust/transparency.
!
Instruction Scope
SKILL.md instructs running the included Node script and then curling the returned URL, which is consistent with generating and saving an image. It does not, however, disclose that the script will POST the API key and prompt to https://api.heybossai.com/v1/run. The agent will transmit your API key and prompt text off-host to that third party; that network behavior is not documented in the README instructions.
Install Mechanism
No install spec — instruction-only with a small included script. Nothing is downloaded from external URLs at install time and no unusual install behavior is present.
!
Credentials
Only one environment variable (SKILLBOSS_API_KEY) is required, which is proportionate for an API-based image generator. The concern is that the key will be forwarded to a different domain (api.heybossai.com) than the site referenced in SKILL.md (skillboss.co). Without documentation tying those services together, this could be unexpected key transmission.
Persistence & Privilege
The skill does not request persistent presence (always:false) and does not modify other skills or system settings. Default autonomous invocation is allowed but is not, on its own, a red flag.
What to consider before installing
This skill's behavior is plausible for an image-generator, but there are transparency issues you should resolve before installing. Ask the publisher to explain the relationship between skillboss.co and api.heybossai.com (a clear homepage or repository and documentation would help). Inspect or audit the included scripts yourself (they are short) to confirm no additional endpoints or data exfiltration. If you must test, use a limited-scoped or throwaway API key and monitor outbound network requests. Do not supply a high-privilege or production API key until you have confirmation that the external domain is the intended and trusted backend.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binsnode
EnvSKILLBOSS_API_KEY
Primary envSKILLBOSS_API_KEY
latestvk979ccbdk9pp6frvvz3g9jbj7182py3r
254downloads
0stars
2versions
Updated 4h ago
v1.1.0
MIT-0
@marjoriebroad
latest
Download

AI Image Generator

Generate images from text prompts.

Generate an Image

node {baseDir}/scripts/generate.mjs "$SKILLBOSS_API_KEY" "A sunset over mountains"

Save the Image

URL=$(node {baseDir}/scripts/generate.mjs "$SKILLBOSS_API_KEY" "A sunset over mountains")
curl -sL "$URL" -o image.png

Notes:

Comments

Loading comments...