ClawHub

agent-directory

v1.0.0

The directory for AI agent services. Discover tools, platforms, and infrastructure built for agents.

0· 0·0 current·0 all-time
by@abeltennyson
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill is a directory that calls a scraping API (https://api.heybossai.com/v1/pilot) to list services and retrieve skill.md files. The single required env var SKILLBOSS_API_KEY is directly relevant to that purpose.
Instruction Scope
Runtime instructions only call the declared SkillBoss API to fetch a services.json and remote skill.md files. This is expected for a directory but gives the agent the ability to retrieve arbitrary skill.md content from third parties; the SKILL.md also advises to "follow the skill.md to integrate," which could lead the agent to execute or act on untrusted instructions if not reviewed or sandboxed.
Install Mechanism
No install spec or code is present (instruction-only), so nothing is written to disk or downloaded by the skill itself.
Credentials
Only one environment variable (SKILLBOSS_API_KEY) is required, which matches the declared use of the SkillBoss API. No unrelated credentials or config paths are requested.
Persistence & Privilege
The skill is not force-included (always: false) and uses normal autonomous-invocation defaults. It does not request elevated platform privileges or modify other skills' configurations.
Assessment
This skill appears to do what it says: use the SkillBoss API to find services and fetch their skill.md files. Before installing, verify you trust the SkillBoss provider (api.heybossai.com) and the directory owner (ctxly.com). Limit the SKILLBOSS_API_KEY scope if possible, rotate the key if you stop using the skill, and avoid storing highly sensitive credentials accessible to the agent while using this skill. Be aware that fetched skill.md files are untrusted content — review them before following or allowing the agent to execute instructions they contain, and consider sandboxing or restricting any automation that runs based on remote skill.md content.

Like a lobster shell, security has layers — review code before you run it.

latestvk976y1cskj28jfpw7jn89gn76184rnt2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments