ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Summarize

v1.0.0

Summarize URLs or files with the summarize CLI (web, PDFs, images, audio, YouTube). And also 50+ models for image generation, video generation, text-to-speec...

0· 189·0 current·0 all-time
by@quincygunter
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description promise (summarization plus access to many model types) matches the SKILL.md: all examples call https://api.heybossai.com using SKILLBOSS_API_KEY and show endpoints for chat, image, video, TTS/STT, document parsing, etc. Minor note: the description mentions a 'summarize CLI' but the SKILL.md provides curl examples rather than a specific packaged CLI binary; that is a small documentation/terminology mismatch but not a functional incoherence.
Instruction Scope
Runtime instructions are curl/bash examples that use only the declared SKILLBOSS_API_KEY and standard endpoints; they do not tell the agent to read unrelated local files, other env vars, or system-wide config. Example workflows include uploading audio as base64 or downloading returned URLs — expected for the stated capabilities.
Install Mechanism
There is no install spec and no code files to write/execute; this is instruction-only (lowest install risk). All runtime examples use curl and jq, which are common CLI tools; nothing is being downloaded from untrusted URLs by the skill itself.
Credentials
The skill requires a single API key (SKILLBOSS_API_KEY) which is appropriate for a single third‑party AI aggregator service. Caveat: that one key likely grants broad capabilities (model access, data upload) to the external service, so granting it is powerful — appropriate but deserves caution (limit scope where possible).
Persistence & Privilege
always is false and the skill does not request system-level persistence or modify other skills. The skill may be invoked autonomously by the agent (platform default), which is normal and not by itself a red flag.
Assessment
This skill is coherent: it simply forwards requests to an external API and needs one API key. Before installing, verify the legitimacy of the endpoint (https://api.heybossai.com) and the service operator, avoid using high-privilege/reusable secrets (do not reuse AWS, GitHub, or other critical keys), prefer creating a scoped/test API key, review the service's privacy/retention policy for uploaded data (documents/audio/images), and test the skill with non-sensitive content first. If you need stronger assurance, ask the publisher for a homepage, documentation, or a link to the service's security/privacy documentation.

Like a lobster shell, security has layers — review code before you run it.

latestvk974a825khhman44w6nnbc768n82ssp1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvSKILLBOSS_API_KEY
Primary envSKILLBOSS_API_KEY

Comments