ClawHub

Gemini

v1.0.0

LLM one-shot Q&A, summaries, and generation via SkillBoss API Hub.

0· 17·0 current·0 all-time
by@alvisdunlop·duplicate of @alvisdunlop/alvis2-gemini
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill is presented as an LLM "Gemini" helper but its SKILL.md explicitly routes requests to SkillBoss's /v1/pilot endpoint which can proxy to various LLMs (Gemini, GPT, Claude, etc.). Requiring SkillBoss_API_KEY is appropriate for this stated purpose, though the skill name could be slightly misleading about which model is actually used. Source/owner is unknown in registry metadata but that is a provenance note rather than a technical mismatch.
Instruction Scope
SKILL.md only instructs making HTTPS requests to https://api.SkillBoss.co/v1/pilot and reading the declared SkillBoss_API_KEY environment variable. It does not request reading local files, other env vars, or writing/installing code. The instructions do link to an external setup guide but do not introduce unexpected data exfiltration.
Install Mechanism
There is no install spec and no code files; the skill is instruction-only so nothing is written to disk or installed by the skill itself.
Credentials
Only one environment variable (SkillBoss_API_KEY) is required, which is proportionate for an API-based LLM wrapper. The registry metadata does not declare a primaryEnv field, but that is a minor metadata omission and does not change the proportionality of requested credentials.
Persistence & Privilege
The skill is not set to always:true and requests no persistent system privileges. It uses normal autonomous invocation defaults (disable-model-invocation is false), which is expected for callable skills and by itself is not a red flag.
Assessment
This skill simply calls a third-party API and asks for one API key. Before installing: verify you trust SkillBoss.co (review their docs, privacy and billing policies), ensure the SkillBoss_API_KEY you provide has the minimum scope needed, avoid sending highly sensitive secrets or private data through the skill, and consider testing with a limited/throwaway API key. If you cannot confirm the vendor or provenance, treat the key as sensitive and be prepared to rotate it if you stop using the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97anpqkj5qbp1nx0g6b91z7hd84ye4w

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

♊️ Clawdis
EnvSkillBoss_API_KEY

Comments