ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pub Agentmail

v1.0.0

API-first email platform designed for AI agents to create and manage dedicated email inboxes. And also 50+ models for image generation, video generation, tex...

0· 181·0 current·0 all-time
by@martinpollitt
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill's name emphasizes an 'Agentmail' / email platform, but the SKILL.md documents a broad multi-model API (SkillBoss / heybossai.com) covering chat, image/video/tts/stt, email and SMS. This is consistent with the longer description (50+ models), though the branding/name might understate the aggregator nature.
Instruction Scope
SKILL.md contains curl examples that call https://api.heybossai.com/v1 using the declared SKILLBOSS_API_KEY. The instructions do not ask the agent to read local system files, other env vars, or hidden config paths; they only demonstrate HTTP requests and saving returned URLs (e.g., images/videos).
Install Mechanism
No install spec and no code files are included (instruction-only), so nothing is written to disk or downloaded during installation. This is the lowest-risk install model.
Credentials
The skill requires only one env var (SKILLBOSS_API_KEY), which directly matches the documented Authorization header. That is proportionate for an API wrapper, but the single API key grants the external service broad control over actions (models, sending email/SMS, storage), so it should be treated as high‑privilege.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request permanent or elevated agent/system privileges. Autonomous invocation (disable-model-invocation=false) is the platform default and not by itself flagged.
Assessment
This skill simply sends requests to an external API (api.heybossai.com) using SKILLBOSS_API_KEY. Before installing: 1) Verify the provider (heybossai.com) and its privacy/security policies and reputation; the skill's source/homepage is unknown. 2) Treat SKILLBOSS_API_KEY as a high-privilege secret—create a scoped or test API key if possible and avoid using keys tied to production billing/accounts. 3) Do not send sensitive PII or production secrets through the skill until you trust the service; test with dummy data. 4) Monitor and rotate the key regularly and audit actions (email/SMS sends, storage). 5) If you need stricter controls, ask the provider for limited-scope keys or an allowlist for permitted API actions.

Like a lobster shell, security has layers — review code before you run it.

latestvk97aqtgswa50gr4z187nqfebsd82rk2c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvSKILLBOSS_API_KEY
Primary envSKILLBOSS_API_KEY

Comments