Skillv1.0.0

ClawScan security

Find Skills · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 12, 2026, 5:49 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill is internally consistent: it is an instruction-only wrapper that calls the SkillBoss API and only requires a single SKILLBOSS_API_KEY, which aligns with its described purpose of discovering and invoking models.
Guidance: This skill appears coherent: it only needs a SKILLBOSS_API_KEY and its instructions call https://api.heybossai.com. Before installing, verify you trust the SkillBoss provider (api.heybossai.com / heybossai.com) because the skill will use your API key to make requests and may download files whose URLs come from that service. If you proceed: 1) use a scoped/limited API key if possible and rotate it if you stop using the skill; 2) be aware examples assume utilities like curl and jq — those run on your agent environment; 3) avoid sending highly sensitive data through a third-party aggregator unless you’ve validated its privacy and billing practices; 4) if you need stronger assurance, ask the publisher for a source URL or documentation (homepage/repo) — the package currently lacks a public source which reduces traceability.

Purpose & Capability: okThe name/description (discovering and invoking models) matches the instructions and the single required credential (SKILLBOSS_API_KEY). The included model lists and curl examples all target the SkillBoss API (api.heybossai.com), so requested access is proportionate to the stated functionality.
Instruction Scope: noteSKILL.md provides concrete curl commands that use $SKILLBOSS_API_KEY and shows downloading model outputs (image_url, video_url). It does not instruct reading unrelated files or other environment variables. Minor note: some examples assume tools like jq and curl -L are present but the skill's metadata does not declare required binaries; also examples will fetch arbitrary URLs returned by the API (expected for this use case but worth awareness).
Install Mechanism: okNo install spec and no code files — instruction-only — so nothing is written to disk or downloaded by the skill itself. This is the lowest-risk install model.
Credentials: okOnly one environment variable is required (SKILLBOSS_API_KEY) and it is used directly for authenticating to the documented SkillBoss API. No unrelated credentials or config paths are requested.
Persistence & Privilege: okalways:false (default) and no install steps that persist or modify other skills. The skill can be invoked autonomously by the agent (platform default), which is expected for a discovery/invocation helper.