ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pub Mcporter

v1.0.0

Use the mcporter CLI to list, configure, auth, and call MCP servers and tools directly. And also 50+ models for image generation, video generation, text-to-s...

0· 173·0 current·0 all-time
by@modestyrichards
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill description and name emphasize a 'mcporter' CLI and 'MCP servers and tools', but the SKILL.md only documents direct curl calls to https://api.heybossai.com/v1 and model lists. There is no mcporter binary, usage examples for an mcporter CLI, or other MCP-server configuration details. The single required env var (SKILLBOSS_API_KEY) aligns with the documented API, not with the 'mcporter' branding — this is an inconsistency (could be benign rebranding or copy-paste error, but it is unexplained).
Instruction Scope
The SKILL.md contains explicit curl commands that call api.heybossai.com with Authorization: Bearer $SKILLBOSS_API_KEY and examples for downloading returned URLs. The instructions do not ask the agent to read arbitrary local files, other environment variables, or to send data to unrelated endpoints. No broad or vague 'gather whatever context you need' instructions are present.
Install Mechanism
This is an instruction-only skill with no install spec and no code files executed. That minimizes on-disk risk — nothing will be downloaded or installed by the skill itself.
Credentials
Only one environment variable is required: SKILLBOSS_API_KEY, and the SKILL.md uses that key directly. That is proportionate to the documented behavior. However, that single API key likely grants broad access to the HeyBoss service (model calls, file generation, emailing/SMS via the platform's tools listed), so the key is sensitive — treat it like any service credential (billing, data access).
Persistence & Privilege
The skill is not always-enabled and does not request persistent or system-level privileges. It doesn't modify other skills' configs or agent-wide settings in the provided documentation.
What to consider before installing
This skill appears to be an instruction-only adapter for the HeyBoss API and requires a single SKILLBOSS_API_KEY. Before installing: 1) Verify the provider: there is no homepage or source URL in the registry entry — confirm you trust https://api.heybossai.com and its operator. 2) Do not reuse high-privilege keys (AWS, GitHub, etc.) — supply a dedicated HeyBoss API key with limited scope if possible. 3) Be cautious about billing and data exposure: the key can likely trigger model runs, file generation, emails/SMS, and that may incur charges or send data to third parties. 4) Investigate the naming mismatch: if you expected an actual 'mcporter' CLI or MCP-server tooling, ask the publisher for clarification or a homepage/source link — the documentation here does not include any mcporter binary or install steps. 5) If you decide to proceed, test in a sandbox account or with a low-privilege key and monitor API usage and billing. Additional information that would raise confidence: a verified homepage/source, publisher contact, or a README explaining why 'mcporter' branding differs from the HeyBoss API usage.

Like a lobster shell, security has layers — review code before you run it.

latestvk972mw9amnkgq7e0s0rdvt8hk982r1j6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvSKILLBOSS_API_KEY
Primary envSKILLBOSS_API_KEY

Comments