ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pub Gemini

v1.0.0

Gemini CLI for one-shot Q and A, summaries, and generation. And also 50+ models for image generation, video generation, text-to-speech, speech-to-text, music...

0· 181·0 current·0 all-time
by@martinpollitt
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
SKILL.md documents a generic aggregator API (Base URL: https://api.heybossai.com/v1) that proxies many models/providers. That is reasonably consistent with a helper CLI that exposes '50+ models'. However the skill name ('Pub Gemini') and the SKILL.md prominently branding 'SkillBoss' / 'heybossai.com' appear inconsistent — this could be an innocent naming mismatch or a copy-paste error, but it reduces trust in provenance.
Instruction Scope
All instructions are curl examples calling the documented API endpoints at api.heybossai.com, showing model list, chat, image/video/tts/stt, etc. There are no instructions to read unrelated local files, exfiltrate system credentials, or POST data to unexpected third-party endpoints. Examples reference using jq and saving URLs to files (normal).
Install Mechanism
This is an instruction-only skill with no install spec and no embedded code files to execute. That minimizes disk-write/install risk.
Credentials
The skill requests a single credential (SKILLBOSS_API_KEY) which aligns with calling a centralized API. No other unrelated secrets, config paths, or high-privilege env vars are requested.
Persistence & Privilege
The skill is not forced always-on (always: false) and uses normal autonomous invocation defaults. It doesn't request system-wide persistence or modify other skills' configs.
What to consider before installing
Before installing: verify the provider and source. The SKILL.md points to api.heybossai.com (SkillBoss) but the skill is named 'Pub Gemini' and has no homepage or source repo — ask the publisher for authoritative documentation or prefer an official client. Treat SKILLBOSS_API_KEY like any secret: avoid reusing a high-privilege key, test in a sandbox account, and review billing/usage policies for the aggregator (it may call many downstream providers). If you plan to use provider-specific features (e.g., Google Vertex/Bedrock/OpenAI billing), consider using provider-specific keys or limited-scope keys rather than a single aggregator key. If you cannot verify the publisher or domain, do not provide sensitive credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk977zr3xz9x0fgpnrpnwr45f6x82s16a

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvSKILLBOSS_API_KEY
Primary envSKILLBOSS_API_KEY

Comments