ClawHub
Back to skill

Security audit

Skillboss

Security checks across malware telemetry and agentic risk

Overview

This is a documented AI gateway, but it needs review because it can send private content and real-world messages through outside services without enough safety guidance.

Review before installing. Use a dedicated limited SkillBoss API key, avoid confidential documents, recordings, private images, regulated data, or secrets unless external processing is acceptable, and require explicit approval for every email, SMS, OTP, batch, or high-cost action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (31)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill repeatedly instructs agents to send prompts, documents, audio, phone numbers, email content, and other user-supplied data to https://api.heybossai.com and explicitly routes requests across multiple third-party providers, but it does not warn about data disclosure, retention, provider sharing, or privacy implications. This creates a real security and privacy risk because agents or users may unknowingly transmit sensitive content off-platform to multiple external services.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill exposes outbound email and SMS/OTP features that can cause real-world actions, but it does not include warnings about consent, authorization, possible abuse, or messaging costs. Without guardrails, an agent could send messages or verification codes to third parties without clear user approval, creating spam, harassment, privacy, and operational risks.

External Transmission

Medium
Category
Data Exfiltration
Content
## List Models

```bash
curl -s -X POST https://api.heybossai.com/v1/models \
  -H "Content-Type: application/json" \
  -d "{\"api_key\":\"$SKILLBOSS_API_KEY\"}"
```
Confidence
90% confidence
Finding
curl -s -X POST https://api.heybossai.com/v1/models \ -H "Content-Type: application/json" \ -d "{\"api_key\":\"$SKILLBOSS_API_KEY\"}" ``` Filter by type: ```bash curl -s -X POST https://api.heyb

External Transmission

Medium
Category
Data Exfiltration
Content
## Image Generation

```bash
curl -s -X POST https://api.heybossai.com/v1/run \
  -H "Content-Type: application/json" \
  -d "{\"api_key\":\"$SKILLBOSS_API_KEY\",\"model\":\"mm/img\",\"inputs\":{\"prompt\":\"A sunset over mountains\"}}"
```
Confidence
90% confidence
Finding
curl -s -X POST https://api.heybossai.com/v1/run \ -H "Content-Type: application/json" \ -d "{\"api_key\":\"$SKILLBOSS_API_KEY\",\"model\":\"mm/img\",\"inputs\":{\"prompt\":\"A sunset over mountai

External Transmission

Medium
Category
Data Exfiltration
Content
## Video Generation

```bash
curl -s -X POST https://api.heybossai.com/v1/run \
  -H "Content-Type: application/json" \
  -d "{\"api_key\":\"$SKILLBOSS_API_KEY\",\"model\":\"mm/t2v\",\"inputs\":{\"prompt\":\"A cat playing with yarn\"}}"
```
Confidence
90% confidence
Finding
curl -s -X POST https://api.heybossai.com/v1/run \ -H "Content-Type: application/json" \ -d "{\"api_key\":\"$SKILLBOSS_API_KEY\",\"model\":\"mm/t2v\",\"inputs\":{\"prompt\":\"A cat playing with ya

External Transmission

Medium
Category
Data Exfiltration
Content
## Text-to-Speech

```bash
curl -s -X POST https://api.heybossai.com/v1/run \
  -H "Content-Type: application/json" \
  -d "{\"api_key\":\"$SKILLBOSS_API_KEY\",\"model\":\"minimax/speech-01-turbo\",\"inputs\":{\"text\":\"Hello world\",\"input\":\"Hello world\",\"voice\":\"alloy\"}}"
```
Confidence
90% confidence
Finding
curl -s -X POST https://api.heybossai.com/v1/run \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
## Speech-to-Text

```bash
curl -s -X POST https://api.heybossai.com/v1/run \
  -H "Content-Type: application/json" \
  -d "{\"api_key\":\"$SKILLBOSS_API_KEY\",\"model\":\"openai/whisper-1\",\"inputs\":{\"audio_data\":\"BASE64_AUDIO\",\"filename\":\"recording.mp3\"}}"
```
Confidence
93% confidence
Finding
curl -s -X POST https://api.heybossai.com/v1/run \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
## Music Generation

```bash
curl -s -X POST https://api.heybossai.com/v1/run \
  -H "Content-Type: application/json" \
  -d "{\"api_key\":\"$SKILLBOSS_API_KEY\",\"model\":\"replicate/elevenlabs/music\",\"inputs\":{\"prompt\":\"upbeat electronic\",\"duration\":30}}"
```
Confidence
88% confidence
Finding
curl -s -X POST https://api.heybossai.com/v1/run \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
## Background Removal

```bash
curl -s -X POST https://api.heybossai.com/v1/run \
  -H "Content-Type: application/json" \
  -d "{\"api_key\":\"$SKILLBOSS_API_KEY\",\"model\":\"replicate/remove-bg\",\"inputs\":{\"image\":\"https://example.com/photo.jpg\"}}"
```
Confidence
90% confidence
Finding
curl -s -X POST https://api.heybossai.com/v1/run \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
## Document Processing

```bash
curl -s -X POST https://api.heybossai.com/v1/run \
  -H "Content-Type: application/json" \
  -d "{\"api_key\":\"$SKILLBOSS_API_KEY\",\"model\":\"reducto/parse\",\"inputs\":{\"document_url\":\"https://example.com/file.pdf\"}}"
```
Confidence
95% confidence
Finding
curl -s -X POST https://api.heybossai.com/v1/run \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
## Web Search

```bash
curl -s -X POST https://api.heybossai.com/v1/run \
  -H "Content-Type: application/json" \
  -d "{\"api_key\":\"$SKILLBOSS_API_KEY\",\"model\":\"linkup/search\",\"inputs\":{\"query\":\"latest AI news\",\"depth\":\"standard\",\"outputType\":\"searchResults\"}}"
```
Confidence
88% confidence
Finding
curl -s -X POST https://api.heybossai.com/v1/run \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
## Email

```bash
curl -s -X POST https://api.heybossai.com/v1/run \
  -H "Content-Type: application/json" \
  -d "{\"api_key\":\"$SKILLBOSS_API_KEY\",\"model\":\"email/send\",\"inputs\":{\"to\":\"user@example.com\",\"subject\":\"Hello\",\"html\":\"<p>Hi there</p>\"}}"
```
Confidence
98% confidence
Finding
curl -s -X POST https://api.heybossai.com/v1/run \ -H "Content-Type: application/json" \ -d "{\"api_key\":\"$SKILLBOSS_API_KEY\",\"model\":\"email/send\",\"inputs\":{\"to\":\"user@example.com\",\"

External Transmission

Medium
Category
Data Exfiltration
Content
One API key, 50+ models across providers (Bedrock, OpenAI, Vertex, ElevenLabs, Replicate, Minimax, and more). Call any model directly by ID, or use smart routing to auto-select the cheapest or highest-quality option for a task.

**Base URL:** `https://api.heybossai.com/v1`

## List Models
Confidence
86% confidence
Finding
https://api.heybossai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
## List Models

```bash
curl -s -X POST https://api.heybossai.com/v1/models \
  -H "Content-Type: application/json" \
  -d "{\"api_key\":\"$SKILLBOSS_API_KEY\"}"
```
Confidence
90% confidence
Finding
https://api.heybossai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
Filter by type:

```bash
curl -s -X POST https://api.heybossai.com/v1/models \
  -H "Content-Type: application/json" \
  -d "{\"api_key\":\"$SKILLBOSS_API_KEY\",\"types\":\"image\"}"
```
Confidence
89% confidence
Finding
https://api.heybossai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
List available task types:

```bash
curl -s -X POST https://api.heybossai.com/v1/pilot \
  -H "Content-Type: application/json" \
  -d "{\"api_key\":\"$SKILLBOSS_API_KEY\",\"discover\":true}"
```
Confidence
89% confidence
Finding
https://api.heybossai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
Run a task (auto-selects best model):

```bash
curl -s -X POST https://api.heybossai.com/v1/pilot \
  -H "Content-Type: application/json" \
  -d "{\"api_key\":\"$SKILLBOSS_API_KEY\",\"type\":\"image\",\"inputs\":{\"prompt\":\"A sunset over mountains\"}}"
```
Confidence
95% confidence
Finding
https://api.heybossai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
## Chat

```bash
curl -s -X POST https://api.heybossai.com/v1/run \
  -H "Content-Type: application/json" \
  -d "{\"api_key\":\"$SKILLBOSS_API_KEY\",\"model\":\"bedrock/claude-4-5-sonnet\",\"inputs\":{\"messages\":[{\"role\":\"user\",\"content\":\"Explain quantum computing\"}]}}"
```
Confidence
94% confidence
Finding
https://api.heybossai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
## Image Generation

```bash
curl -s -X POST https://api.heybossai.com/v1/run \
  -H "Content-Type: application/json" \
  -d "{\"api_key\":\"$SKILLBOSS_API_KEY\",\"model\":\"mm/img\",\"inputs\":{\"prompt\":\"A sunset over mountains\"}}"
```
Confidence
90% confidence
Finding
https://api.heybossai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
Save to file:

```bash
URL=$(curl -s -X POST https://api.heybossai.com/v1/run \
  -H "Content-Type: application/json" \
  -d "{\"api_key\":\"$SKILLBOSS_API_KEY\",\"model\":\"mm/img\",\"inputs\":{\"prompt\":\"A sunset over mountains\"}}" \
  | grep -o '"image_url":"[^"]*"' | cut -d'"' -f4)
Confidence
91% confidence
Finding
https://api.heybossai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
## Video Generation

```bash
curl -s -X POST https://api.heybossai.com/v1/run \
  -H "Content-Type: application/json" \
  -d "{\"api_key\":\"$SKILLBOSS_API_KEY\",\"model\":\"mm/t2v\",\"inputs\":{\"prompt\":\"A cat playing with yarn\"}}"
```
Confidence
90% confidence
Finding
https://api.heybossai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
Image-to-video:

```bash
curl -s -X POST https://api.heybossai.com/v1/run \
  -H "Content-Type: application/json" \
  -d "{\"api_key\":\"$SKILLBOSS_API_KEY\",\"model\":\"mm/i2v\",\"inputs\":{\"prompt\":\"Zoom in slowly\",\"image\":\"https://example.com/photo.jpg\"}}"
```
Confidence
95% confidence
Finding
https://api.heybossai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
## Text-to-Speech

```bash
curl -s -X POST https://api.heybossai.com/v1/run \
  -H "Content-Type: application/json" \
  -d "{\"api_key\":\"$SKILLBOSS_API_KEY\",\"model\":\"minimax/speech-01-turbo\",\"inputs\":{\"text\":\"Hello world\",\"input\":\"Hello world\",\"voice\":\"alloy\"}}"
```
Confidence
90% confidence
Finding
https://api.heybossai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
## Speech-to-Text

```bash
curl -s -X POST https://api.heybossai.com/v1/run \
  -H "Content-Type: application/json" \
  -d "{\"api_key\":\"$SKILLBOSS_API_KEY\",\"model\":\"openai/whisper-1\",\"inputs\":{\"audio_data\":\"BASE64_AUDIO\",\"filename\":\"recording.mp3\"}}"
```
Confidence
93% confidence
Finding
https://api.heybossai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
## Music Generation

```bash
curl -s -X POST https://api.heybossai.com/v1/run \
  -H "Content-Type: application/json" \
  -d "{\"api_key\":\"$SKILLBOSS_API_KEY\",\"model\":\"replicate/elevenlabs/music\",\"inputs\":{\"prompt\":\"upbeat electronic\",\"duration\":30}}"
```
Confidence
88% confidence
Finding
https://api.heybossai.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.