PartnerBoost Brand
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: partnerboost-brand Version: 1.1.1 The skill bundle provides a standard interface for interacting with the PartnerBoost Merchant API. It defines various endpoints for managing transactions, performance metrics, and billing information via curl commands. The authentication mechanism uses a user-provided environment variable (PARTNERBOOST_API_KEY), and all network requests are directed to the legitimate domain app.partnerboost.com. No evidence of malicious execution, data exfiltration, or prompt injection was found in SKILL.md or the documentation files.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If configured with a real key, the agent can access PartnerBoost merchant data such as transactions, performance, billing, and account information allowed by that key.
The skill requires an API key and instructs the agent to use it for every PartnerBoost request, giving delegated access to the merchant account. This is expected for the stated integration but should be treated as sensitive.
requires:
env:
- PARTNERBOOST_API_KEY
...
Every request must include:
-H "X-Api-Key: $PARTNERBOOST_API_KEY"Use the least-privileged PartnerBoost API key available, provide it only to trusted agent runtimes, avoid exposing it in chat or logs, and rotate it if it may have been leaked.
A mistaken or overly broad API request could retrieve more merchant data than intended, or perform any action the PartnerBoost API and key permit.
The skill exposes a broad raw curl pattern for PartnerBoost API calls. This is purpose-aligned for an API skill, but command parameters and endpoints should be chosen carefully because the agent is acting with the user's merchant API authority.
All WebUI APIs follow this pattern:
- GET: `curl -s -H "X-Api-Key: $PARTNERBOOST_API_KEY" "https://app.partnerboost.com/a/{controller}/{action}?param1=value1¶m2=value2"`
- POST: `curl -s -X POST ... -d '{"key":"value"}' "https://app.partnerboost.com/a/{controller}/{action}"`Review generated curl commands before running sensitive POST, billing, account, or partner-management operations, and prefer the documented endpoint examples when possible.
A user may have less external context for verifying who published the skill or whether it is the intended PartnerBoost integration.
The provided registry metadata does not identify a source or homepage. The absence of executable code lowers risk, but provenance is still worth checking before granting the skill access to a merchant API key.
Source: unknown Homepage: none Install specifications: No install spec — this is an instruction-only skill.
Confirm the publisher or repository through trusted PartnerBoost or organizational channels before configuring a production API key.