Back to skill
Skillv1.0.0
ClawScan security
Pub Proactive · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 12, 2026, 6:07 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only adapter for the HeyBossAI model-hub API and its required SKILLBOSS_API_KEY is proportionate to that purpose, but a few documentation inconsistencies and the unknown third-party endpoint warrant caution.
- Guidance
- This skill is essentially documentation and curl examples for calling a third‑party model hub (api.heybossai.com). Before installing or supplying SKILLBOSS_API_KEY: 1) Confirm you trust the HeyBossAI service and its privacy/usage policies — any prompts, files, or data sent will go to that endpoint. 2) Use a least-privilege, auditable API key (rotate/revoke if needed). 3) Expect the skill to make outbound network requests and to follow URLs returned by the API (which may point to other hosts). 4) Note the minor inconsistencies: examples assume curl and jq are present and reference a run.mjs helper that is not included. 5) If you plan to send sensitive data, test with non-sensitive inputs first and monitor API usage. If you don’t trust the third-party endpoint, do not provide the API key.
Review Dimensions
- Purpose & Capability
- okThe name/description claim a multi-model hub and the SKILL.md contains curl examples for a single API (https://api.heybossai.com) using SKILLBOSS_API_KEY. Requesting that API key is coherent with the stated purpose. Minor doc inconsistencies: several example commands reference a run.mjs helper that is not included, and examples assume curl/jq are available even though required binaries are declared as none.
- Instruction Scope
- okRuntime instructions are limited to HTTP calls to the documented HeyBossAI API and saving results (image/video/audio) from returned URLs. The instructions do not direct reading unrelated local files or accessing other environment variables. They do instruct following returned URLs (curl -L), so outputs may be fetched from external hosts the API returns.
- Install Mechanism
- okNo install spec and no code files — lowest-risk form. The skill is instruction-only (uses curl examples). This is low-risk from an install perspective, but the documentation's run.mjs examples refer to a helper not provided.
- Credentials
- okOnly one required credential (SKILLBOSS_API_KEY) is declared and that matches the API usage in SKILL.md. The requested env var is proportionate to an API gateway/hub. No unrelated secrets or system paths are requested.
- Persistence & Privilege
- okThe skill does not request always: true, has no install, and does not alter other skills or system-wide settings. It requires a single API key only for external calls.