Find Skills
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a documented external API helper with no included executable code, but it requires a SkillBoss API key and can call broad third-party model and messaging services.
Install only if you intend to use the SkillBoss/HeyBossAI API. Review any Bash, curl, or run.mjs command before running it, use a dedicated API key if possible, avoid sending sensitive files or prompts unless allowed, and require explicit confirmation before email or SMS sends.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could use the API key to send emails or SMS messages if a workflow invokes those model IDs.
The catalog includes external messaging actions, including batch sends. This is disclosed as part of the model gateway, but these actions can affect third parties if invoked without careful user confirmation.
`email/send` | Send single email ... `email/batch` | Send batch emails ... `prelude/notify-batch` | Batch SMS notifications
Confirm recipients, message content, and costs before using email or SMS models; prefer explicit user approval for any batch send.
API calls may consume quota, incur costs, or act under the user's SkillBoss account.
The skill requires a bearer API key for the SkillBoss/HeyBossAI service. This is expected for the integration and no logging or unrelated credential use is shown.
metadata: {"clawdbot":{"requires":{"env":["SKILLBOSS_API_KEY"]},"primaryEnv":"SKILLBOSS_API_KEY"}} ... **Auth:** `-H "Authorization: Bearer $SKILLBOSS_API_KEY"`Use a dedicated or restricted API key where possible, monitor usage, and rotate the key if it is exposed.
If a user obtains or runs a separate run.mjs helper, that code was not part of the reviewed artifact set.
The documentation references a run.mjs helper, but the provided manifest contains no run.mjs file and the scan reports no code files. As provided, this is only documentation, but any external helper would need separate review.
```bash run.mjs --model bedrock/claude-4-5-sonnet --prompt "Explain quantum computing" run.mjs --model openai/gpt-4o-mini --prompt "Summarize this" --context "Be concise" ```
Use the shown curl commands or review any external helper script before running it.
Sensitive prompts, documents, images, or audio sent through the skill may be processed outside the local machine.
The skill is an external provider gateway. User prompts, media inputs, audio, or documents may be sent to HeyBossAI and downstream providers; this is disclosed and purpose-aligned.
One API key, 50+ models across providers (Bedrock, OpenAI, Vertex, ElevenLabs, Replicate, Minimax, and more). Call any model directly by ID
Avoid sending confidential data unless the provider terms and downstream processing are acceptable for your use case.