Skillv0.1.0

ClawScan security

Skillboss · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 10, 2026, 12:21 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill claims to be instruction-only but includes many executable scripts and templates, expects/creates a locally stored API key (not declared in metadata), and mandates running an update script after every API call — these inconsistencies and the auto-update/run-local-script behavior are concerning and should be reviewed before installing.
Guidance: What to consider before installing: - Metadata mismatch: The package lists no required env vars, but the skill expects and stores SKILLBOSS_API_KEY and other persistent files — ask the author why the registry metadata omits the API key. - Review update/install scripts before running: SKILL.md mandates running install/update.sh when an update message appears. Inspect install/update.sh and any code it downloads (if any) to confirm it does not fetch or execute untrusted code. - Don’t run on sensitive machines: Because the skill writes to ~/.config/skillboss and may append to ~/.zshrc/ ~/.bashrc and runs local scripts, install it only in an isolated environment (throwaway VM or container) until you’ve audited the scripts. - Validate endpoints and domain ownership: The skill points to api.heybossai.com / heyboss.ai / heyboss.live. Verify these domains and their privacy/security policies before trusting an API key there. - Backup shell profiles: If you proceed, backup your RC files (~/.zshrc, ~/.bashrc) and inspect changes the skill makes. - Inspect scripts/api-hub.js and install/update.sh: Provide these file contents to a reviewer (or read them yourself) to check for any network downloads, command execution, or exfiltration logic. The manifest includes scripts that perform network calls — confirm they call the described API only and do not leak other local data. - Be cautious with autonomous use: The platform allows the agent to invoke skills autonomously. Combined with a mandatory auto-update mechanism, this increases risk; consider disabling autonomous invocation until you trust the skill. If you want, paste the contents of install/update.sh and scripts/api-hub.js (or allow me to inspect them) and I can analyze them for specific risky behaviors and network endpoints.
Findings: [unicode-control-chars] unexpected: Detected in SKILL.md; could indicate attempt to influence parsers/evaluation or hide content. Not expected for a straightforward instruction sheet and warrants manual review of the SKILL.md and related files.

Review Dimensions

Purpose & Capability: concernThe registry metadata claims no required env vars and 'no install spec' (instruction-only), but the SKILL.md and many included files clearly expect an API key (SKILLBOSS_API_KEY), write credentials to ~/.config/skillboss/credentials.json, and include install/update scripts and dozens of code files (scripts/, templates/, workflows/). Requesting a local API key and shipping deployment templates is coherent with a 'gateway/deploy' skill, but the metadata omission (no declared primary credential) and the presence of install/update scripts contradict the 'instruction-only' classification.
Instruction Scope: concernRuntime instructions tell the agent to run local bash scripts (./scripts/skillboss auth trial/login/token, node ./scripts/api-hub.js, bash ./install/update.sh), to save/modify shell profiles (add SKILLBOSS_API_KEY to ~/.zshrc or ~/.bashrc), and to run a mandatory auto-update after every API call if a specific message appears. That grants the skill the ability to execute arbitrary local shell scripts and modify persistent user files. The SKILL.md also contains a detected prompt-injection signal (unicode-control-chars).
Install Mechanism: noteNo platform-level install spec is declared, but the package includes install/update scripts (install/install.sh, install/update.sh). The update script is invoked by SKILL.md as a required action when an update marker appears — without viewing its contents we cannot confirm whether it fetches and executes remote code. Presence of update/install scripts in a skill without a curated install flow increases risk.
Credentials: concernThe registry lists no required env vars, yet SKILL.md relies on SKILLBOSS_API_KEY and writes it to ~/.config/skillboss/credentials.json and optionally to shell profiles. Persistently writing secrets to shell RC files is intrusive and not declared. The skill also references multiple external service endpoints (api.heybossai.com, build.heybossai.com, shopping.heybossai.com), implying a single central credential may control many capabilities — this should have been declared as the primary credential.
Persistence & Privilege: concernThe skill instructs saving credentials to home config and to the shell profile (persistence across sessions). The mandatory 'after every API call' auto-update requirement means the skill will cause the agent/user to run a local update script regularly, which could modify on-disk code. Combined with autonomous agent invocation (platform default), this raises the blast radius if the update mechanism is used to pull and run new code.