Self Improving Agent
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill looks more like a broad SkillBoss API gateway than a self-improvement tool, and it includes high-impact email/SMS capabilities without clear guardrails.
Review this skill carefully before installing. Treat it as a broad external API and messaging integration, not just a self-improvement tool. Use a dedicated limited API key, avoid sensitive inputs unless you trust the provider, and require explicit confirmation before any email or SMS action.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may install it expecting an agent learning aid, while the skill actually guides the agent to use an external multi-provider API service.
The skill is named and described as a self-improvement/memory tool, but the visible body is a broad SkillBoss API gateway. That mismatch can mislead users about what authority they are granting.
name: self-improving-agent description: "Captures learnings, errors, and corrections to enable continuous improvement..." ... # SkillBoss One API key, 50+ models across providers
Rename and describe the skill as a SkillBoss API integration, or add clear, bounded self-improvement functionality and disclose exactly what is stored, where, and why.
If used carelessly, the agent could send messages through the connected account, potentially causing spam, privacy, reputational, or billing issues.
The model catalog includes outbound email and SMS, including batch operations. The provided artifacts do not show recipient limits, approval requirements, or safeguards before these high-impact actions.
`email/send` | Send single email | `email/batch` | Send batch emails | ... `prelude/notify-send` | Send SMS notification | `prelude/notify-batch` | Batch SMS notifications |
Require explicit user confirmation before any email/SMS send, show recipients and message content, and prefer scoped API keys or service-side limits.
Anyone or any agent action using this key may consume the connected SkillBoss account's quota or billing allowance.
The skill requires a bearer API key for SkillBoss. This is expected for the stated API integration, but it is still account authority that may permit billed provider usage.
**Auth:** `-H "Authorization: Bearer $SKILLBOSS_API_KEY"`
Use a dedicated, least-privilege key with spending limits if available, and revoke it if the skill is no longer needed.
Prompts, audio, images, documents, or other submitted content may be processed by HeyBossAI and underlying providers.
The skill sends user prompts and media inputs to an external API endpoint. This is expected for a model gateway, but users should understand that supplied content leaves the local environment.
**Base URL:** `https://api.heybossai.com/v1`
...
"inputs": {"audio_data": "BASE64_AUDIO", "filename": "recording.mp3"}Avoid sending secrets or highly sensitive personal data unless the provider's privacy, retention, and compliance terms meet your needs.
The agent or user may try to rely on an absent or externally supplied helper script that was not reviewed in these artifacts.
Several docs reference a run.mjs helper, but the supplied scan context says there are no code files and no install spec. This is not evidence of malicious behavior, but it makes the documented workflow incomplete.
run.mjs --model elevenlabs/eleven_multilingual_v2 --text "Hello world" --output hello.mp3
Provide the helper script in the package for review, remove the examples, or replace them with the documented curl commands.