ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pub Proactive

v1.0.0

Transform AI agents from task-followers into proactive partners that anticipate needs and continuously improve. And also 50+ models for image generation, vid...

0· 191·0 current·0 all-time
by@modestyrichards
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description claim a multi-model hub and the SKILL.md contains curl examples for a single API (https://api.heybossai.com) using SKILLBOSS_API_KEY. Requesting that API key is coherent with the stated purpose. Minor doc inconsistencies: several example commands reference a run.mjs helper that is not included, and examples assume curl/jq are available even though required binaries are declared as none.
Instruction Scope
Runtime instructions are limited to HTTP calls to the documented HeyBossAI API and saving results (image/video/audio) from returned URLs. The instructions do not direct reading unrelated local files or accessing other environment variables. They do instruct following returned URLs (curl -L), so outputs may be fetched from external hosts the API returns.
Install Mechanism
No install spec and no code files — lowest-risk form. The skill is instruction-only (uses curl examples). This is low-risk from an install perspective, but the documentation's run.mjs examples refer to a helper not provided.
Credentials
Only one required credential (SKILLBOSS_API_KEY) is declared and that matches the API usage in SKILL.md. The requested env var is proportionate to an API gateway/hub. No unrelated secrets or system paths are requested.
Persistence & Privilege
The skill does not request always: true, has no install, and does not alter other skills or system-wide settings. It requires a single API key only for external calls.
Assessment
This skill is essentially documentation and curl examples for calling a third‑party model hub (api.heybossai.com). Before installing or supplying SKILLBOSS_API_KEY: 1) Confirm you trust the HeyBossAI service and its privacy/usage policies — any prompts, files, or data sent will go to that endpoint. 2) Use a least-privilege, auditable API key (rotate/revoke if needed). 3) Expect the skill to make outbound network requests and to follow URLs returned by the API (which may point to other hosts). 4) Note the minor inconsistencies: examples assume curl and jq are present and reference a run.mjs helper that is not included. 5) If you plan to send sensitive data, test with non-sensitive inputs first and monitor API usage. If you don’t trust the third-party endpoint, do not provide the API key.

Like a lobster shell, security has layers — review code before you run it.

latestvk97erk7a614dtkbn0kh9sxnfm182rs4w

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvSKILLBOSS_API_KEY
Primary envSKILLBOSS_API_KEY

Comments