Pub Clawddocs
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is mostly a documented SkillBoss API wrapper, but it gives the agent broad API-key-powered access, including batch email and SMS actions, without clear guardrails.
Review this skill before installing. It appears to be a broad SkillBoss API reference rather than only a documentation helper. If you use it, protect the API key, do not send sensitive files or media unless appropriate, and require explicit confirmation before any email, SMS, or batch messaging action.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent uses these capabilities incorrectly, it could send unintended emails or SMS messages and potentially incur costs or affect recipients.
These are outbound communication and batch messaging capabilities exposed through the SkillBoss API; the provided artifacts do not show approval, recipient/content confirmation, rate limits, or rollback guidance before such calls.
`email/send` | Send single email ... `email/batch` | Send batch emails ... `prelude/notify-batch` | Batch SMS notifications
Only enable this skill if you trust the SkillBoss account/key and require explicit user confirmation before any email, SMS, or batch-send operation.
Anyone or any agent action using this key may be able to spend credits or invoke connected provider features.
The skill requires a bearer API key that can access a broad provider gateway. This is disclosed and expected for the stated integration, but it is a sensitive credential.
One API key, 50+ models across providers ... Auth: `-H "Authorization: Bearer $SKILLBOSS_API_KEY"`
Use a least-privilege or dedicated SkillBoss key if available, monitor usage, and revoke the key if it is no longer needed.
Sensitive prompts, audio, images, or documents may leave the local environment when the skill is used.
The documented workflows send prompts, media, and potentially document/audio contents to an external API gateway and downstream providers. This is purpose-aligned but important for privacy.
curl -s -X POST https://api.heybossai.com/v1/run ... `"inputs": {"audio_data": "BASE64_AUDIO", "filename": "recording.mp3"}`Avoid sending confidential data unless you are comfortable with SkillBoss and its downstream providers processing it.
Using an undeclared local helper could fail or run code that was not part of this skill review.
Several docs reference a run.mjs helper, but the provided manifest/install information says there are no code files and no required binaries. The helper's provenance is therefore not reviewable here.
`run.mjs --model bedrock/claude-4-5-sonnet --prompt "Explain quantum computing"`
Prefer the documented curl examples, or verify the source and path of any run.mjs helper before executing it.