ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skillboss

v1.0.0

Swiss-knife for AI agents. 50+ models for image generation, video generation, text-to-speech, speech-to-text, music, chat, web search, document parsing, emai...

0· 196·0 current·0 all-time
by@marjoriebroad
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description claim an aggregator for many models and the skill only requires a single SKILLBOSS_API_KEY to call a central API (api.heybossai.com). The requested credential and the provided curl examples align with that purpose; there are no unrelated environment variables, binaries, or config paths.
Instruction Scope
SKILL.md instructions are limited to POSTing JSON (including the SKILLBOSS_API_KEY) to the heybossai API and optionally downloading returned media URLs. That stays within the stated scope. One minor note: the frontmatter lists allowed-tools: Bash, Read — the instructions do not ask to read system secrets, but if the agent uses the Read tool it could be used to collect local files for upload (e.g., base64 audio). This is not required by the skill but is a capability to be aware of.
Install Mechanism
No install spec or code files — instruction-only. Nothing is downloaded or written to disk by the skill itself, which minimizes install-time risk.
Credentials
Only a single credential (SKILLBOSS_API_KEY) is required and is the declared primary credential. That is proportionate for a centralized aggregator API. No unrelated secrets or multiple credentials are requested.
Persistence & Privilege
always is false and the skill can be invoked by the agent (default behavior). The skill does not request persistent system-level presence or modify other skills/config; this is proportionate.
Assessment
This skill appears internally consistent, but it routes all requests and (potentially) file uploads to api.heybossai.com. Only provide an API key to services you trust. Before installing or using: (1) confirm the legitimacy of heybossai (no homepage/source is provided), (2) avoid sending sensitive data or credentials to the service, (3) if you must upload files, test with non-sensitive samples first, and (4) give the key least privilege and plan to rotate it if exposed.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ewdbr4y98wst17b7wwen69h82qw3z

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvSKILLBOSS_API_KEY
Primary envSKILLBOSS_API_KEY

Comments