ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Quick Img V2

v1.1.0

Generate images using curl and the SkillBoss API.

0· 194·0 current·0 all-time
by@marjoriebroad
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose is to generate images via the SkillBoss API, which is consistent with the curl example that posts to https://api.heybossai.com/v1/run. However the SKILL.md examples rely on curl and node, yet the registry metadata lists no required binaries — this is an incoherence (the skill should declare curl and node if it needs them).
!
Instruction Scope
The runtime instructions include an unrelated "Check IP" step that runs scripts/hello.mjs. That script performs a network request to https://httpbin.org/get and prints the origin IP. Contacting an external site unrelated to the image API is scope creep and transmits the agent's network-visible IP and headers to a third party. The skill also pipes remote API output into a node one-liner — the one-liner parses JSON (not eval), which is expected, but executing any processor on network data increases the attack surface.
Install Mechanism
This is an instruction-only skill with no install spec, so nothing is written to disk on install. That's the lowest install risk.
Credentials
The skill requests a single credential, SKILLBOSS_API_KEY, which aligns with calling the SkillBoss API. The SKILL.md uses that key directly in the request to api.heybossai.com — this is expected. No other credentials or config paths are requested.
Persistence & Privilege
The skill does not request always:true and is not attempting to modify other skills or agent configuration. Autonomous invocation is enabled by default but is not combined with elevated persistence here.
What to consider before installing
Before installing or using this skill: (1) Recognize it requires network access to two external endpoints — api.heybossai.com (for image generation) and httpbin.org (the bundled "Check IP" script). The latter is unrelated to the stated purpose and will reveal your agent's public IP to a third party. (2) The SKILL.md examples call curl and node but the skill metadata does not declare these as required binaries — verify that your runtime provides them and be cautious about executing scripts. (3) Only provide SKILLBOSS_API_KEY if you trust the SkillBoss service and the skill author; consider creating a limited-scope API key if possible. (4) If you don't need the IP-checking helper, remove or review scripts/hello.mjs before running. (5) If you want to reduce risk, ask the author to (a) declare required binaries, (b) remove or make optional the httpbin check, and (c) document exactly what data is sent to external endpoints.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bn87v77r5m2tcmj1r5d9z7d82ptmv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvSKILLBOSS_API_KEY
Primary envSKILLBOSS_API_KEY

Comments