Boktoshi Human /my Helper
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: boktoshi-human-helper Version: 1.0.0 The skill bundle appears benign. The `SKILL.md` clearly defines its purpose as an optional helper for `boktoshi.com/api/v1/my/*` endpoints, requiring a `FIREBASE_ID_TOKEN` and network access, both explicitly declared in the metadata. There are no instructions for data exfiltration, malicious execution, persistence, or prompt injection against the agent. The security advice provided within the markdown is actually beneficial, advising to treat the Firebase token as a secret and not to log it publicly.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed and used, the agent may access private Boktoshi account data available through the supplied Firebase ID token.
The skill requires a bearer credential for a human account session, which gives access to authenticated Boktoshi /my endpoints.
- `FIREBASE_ID_TOKEN` ... `Authorization: Bearer <firebase-id-token>`
Only provide this token if you intend the agent to access your Boktoshi human account endpoints, and avoid sharing logs or transcripts that include the token.