Skillv1.0.0

ClawScan security

Pub Agent Browser · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 12, 2026, 5:51 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's name/description claim a headless browser CLI, but the runtime instructions are actually API docs for a third‑party multi‑model service (heybossai/SkillBoss) — this mismatch and the broad remote capabilities warrant caution.
Guidance: This skill is suspicious because its name/description promise a headless browser CLI but the SKILL.md is actually documentation for a third‑party multi‑model API (api.heybossai.com) and requires an API key. Before installing: 1) Verify the skill's source and reputation (there's no homepage or repo). 2) Ask the publisher why the browser functionality is missing and whether any local browser automation will run (right now it will only call a remote API). 3) Treat the SKILLBOSS_API_KEY like a powerful credential — do not supply it if you would be sending sensitive files, credentials, or private data to an untrusted third party. 4) If you need local headless browser automation, prefer a skill that documents local binaries (puppeteer/playwright) or provides clear install steps and code. 5) Consider testing with a scoped/limited API key or on non-sensitive data and review billing/terms on api.heybossai.com before use.

Review Dimensions

Purpose & Capability: concernName/description advertise a 'fast headless browser automation CLI' but SKILL.md contains only curl examples and model/API documentation for https://api.heybossai.com/v1 (many models). There are no browser automation commands, binaries, or local tooling described. The declared SKILLBOSS_API_KEY is consistent with the docs but not with the advertised local/browser automation purpose — this is a clear mismatch.
Instruction Scope: concernRuntime instructions tell the agent to call an external API (api.heybossai.com) for chat, image/video/tts/stt, scraping, email, SMS, document parsing, storage, etc. The agent is guided to upload data (audio, images, documents, base64 audio) and download results. While the skill does not instruct reading local secrets or arbitrary files explicitly, it enables sending potentially sensitive content to a third party. No instructions implement local headless browser automation despite the skill name.
Install Mechanism: okNo install spec and no code files — this is instruction-only, so nothing is written to disk by the skill itself. That reduces installation risk. The primary remaining risk is network I/O to the external API.
Credentials: concernThe skill requests a single env var, SKILLBOSS_API_KEY, which is appropriate for an API-based skill. However, that single key grants broad capabilities (access to 50+ models, email/SMS/send, storage, document parsing, scraping). Given the mismatch between the advertised browser purpose and the API functionality, the breadth of operations that the key enables is disproportionate to what a user might expect from a 'browser' skill and could permit data exfiltration or actions the user did not intend.
Persistence & Privilege: okalways is false and the skill is user-invocable; it does not request permanent presence or system-wide configuration changes. Autonomous invocation is allowed by default (disable-model-invocation is false) which is normal; this combination is not itself an added red flag.