PartnerBoost Brand

AdvisoryAudited by Static analysis on Apr 30, 2026.

Overview

No suspicious patterns detected.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Note

ASI03: Identity and Privilege Abuse

What this means

If configured with a real key, the agent can access PartnerBoost merchant data such as transactions, performance, billing, and account information allowed by that key.

Why it was flagged

The skill requires an API key and instructs the agent to use it for every PartnerBoost request, giving delegated access to the merchant account. This is expected for the stated integration but should be treated as sensitive.

Skill content

requires:
  env:
    - PARTNERBOOST_API_KEY
...
Every request must include:
-H "X-Api-Key: $PARTNERBOOST_API_KEY"

Recommendation

Use the least-privileged PartnerBoost API key available, provide it only to trusted agent runtimes, avoid exposing it in chat or logs, and rotate it if it may have been leaked.

Note

ASI02: Tool Misuse and Exploitation

What this means

A mistaken or overly broad API request could retrieve more merchant data than intended, or perform any action the PartnerBoost API and key permit.

Why it was flagged

The skill exposes a broad raw curl pattern for PartnerBoost API calls. This is purpose-aligned for an API skill, but command parameters and endpoints should be chosen carefully because the agent is acting with the user's merchant API authority.

Skill content

All WebUI APIs follow this pattern:
- GET: `curl -s -H "X-Api-Key: $PARTNERBOOST_API_KEY" "https://app.partnerboost.com/a/{controller}/{action}?param1=value1&param2=value2"`
- POST: `curl -s -X POST ... -d '{"key":"value"}' "https://app.partnerboost.com/a/{controller}/{action}"`

Recommendation

Review generated curl commands before running sensitive POST, billing, account, or partner-management operations, and prefer the documented endpoint examples when possible.

Note

ASI04: Agentic Supply Chain Vulnerabilities

What this means

A user may have less external context for verifying who published the skill or whether it is the intended PartnerBoost integration.

Why it was flagged

The provided registry metadata does not identify a source or homepage. The absence of executable code lowers risk, but provenance is still worth checking before granting the skill access to a merchant API key.

Skill content

Source: unknown
Homepage: none
Install specifications: No install spec — this is an instruction-only skill.

Recommendation

Confirm the publisher or repository through trusted PartnerBoost or organizational channels before configuring a production API key.