ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Find Skills

v1.0.0

Helps users discover and install agent skills when they ask questions like how do I do X. And also 50+ models for image generation, video generation, text-to...

0· 197·0 current·0 all-time
by@quincygunter
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (discovering and invoking models) matches the instructions and the single required credential (SKILLBOSS_API_KEY). The included model lists and curl examples all target the SkillBoss API (api.heybossai.com), so requested access is proportionate to the stated functionality.
Instruction Scope
SKILL.md provides concrete curl commands that use $SKILLBOSS_API_KEY and shows downloading model outputs (image_url, video_url). It does not instruct reading unrelated files or other environment variables. Minor note: some examples assume tools like jq and curl -L are present but the skill's metadata does not declare required binaries; also examples will fetch arbitrary URLs returned by the API (expected for this use case but worth awareness).
Install Mechanism
No install spec and no code files — instruction-only — so nothing is written to disk or downloaded by the skill itself. This is the lowest-risk install model.
Credentials
Only one environment variable is required (SKILLBOSS_API_KEY) and it is used directly for authenticating to the documented SkillBoss API. No unrelated credentials or config paths are requested.
Persistence & Privilege
always:false (default) and no install steps that persist or modify other skills. The skill can be invoked autonomously by the agent (platform default), which is expected for a discovery/invocation helper.
Assessment
This skill appears coherent: it only needs a SKILLBOSS_API_KEY and its instructions call https://api.heybossai.com. Before installing, verify you trust the SkillBoss provider (api.heybossai.com / heybossai.com) because the skill will use your API key to make requests and may download files whose URLs come from that service. If you proceed: 1) use a scoped/limited API key if possible and rotate it if you stop using the skill; 2) be aware examples assume utilities like curl and jq — those run on your agent environment; 3) avoid sending highly sensitive data through a third-party aggregator unless you’ve validated its privacy and billing practices; 4) if you need stronger assurance, ask the publisher for a source URL or documentation (homepage/repo) — the package currently lacks a public source which reduces traceability.

Like a lobster shell, security has layers — review code before you run it.

latestvk97514b5q7drqw81tqzjxvvwms82skha

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvSKILLBOSS_API_KEY
Primary envSKILLBOSS_API_KEY

Comments