ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Openclaw Skill

v6.4.0

Boss AI Agent — your AI management advisor. 16 mentor philosophies, 9 culture packs, C-Suite board simulation, execution intelligence engine, AI recommendati...

1· 284·0 current·0 all-time
by@tonypk
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (management advisor + team ops) align with the declared optional API keys and MCP connection options. The only credentials mentioned (MANAGEMENT_BRAIN_API_KEY, BOSS_AI_AGENT_API_KEY, MCP_HTTP_API_KEY) are relevant to enabling Team Operations Mode and are optional — no unrelated cloud/provider credentials are requested.
Instruction Scope
SKILL.md cleanly separates Advisor Mode (offline, local mentor frameworks) from Team Operations Mode (cloud MCP interactions). Team Operations Mode will send tool parameters (employee names, messages, etc.) to manageaibrain.com/mcp and can register cron jobs that autonomously send messages and sync data. This is expected behavior for a team-ops skill but is high-impact: enabling Team Operations grants the skill the ability to perform actions on behalf of the org (send messages, schedule jobs).
Install Mechanism
The skill is instruction-only (no install spec) which is low-risk, but runtime instructions recommend using `npx -y @tonykk/management-brain-mcp` or `npm install -g` to run a local MCP client. Using npx auto-downloads and executes an npm package from the public registry — a common but non-trivial trust decision. No direct URL downloads or obscure hosts are present.
Credentials
Environment variables are optional and correspond to the service the skill integrates with (management-brain API keys). No unrelated secrets or broad platform credentials are requested. Note: providing MANAGEMENT_BRAIN_API_KEY gives the remote backend authority to operate on team data and deliver messages.
Persistence & Privilege
always:false and no system-wide modifications are declared. In Team Operations Mode the skill may register up to 6 cron jobs that run autonomously and perform actions (check-ins, chases, sync). Autonomous cron-based behavior is coherent with the skill's purpose but grants persistent, autonomous capability — review config.json and scheduled jobs before enabling.
Assessment
This skill is internally consistent with its stated purpose. If you intend to use Advisor Mode only, no network access or credentials are required. If you enable Team Operations Mode: (1) only provide MANAGEMENT_BRAIN_API_KEY if you trust manageaibrain.com and understand it will be used to process and act on team data; (2) note that runtime recommends `npx -y @tonykk/management-brain-mcp` — npx will download and run code from npm, so prefer installing a pinned, audited package version instead of using `-y`; (3) review ~/.openclaw/skills/boss-ai-agent/config.json and the cron schedules before activation; (4) prefer least-privilege API keys and audit the web dashboard for actions the skill performs. If you are uncomfortable with remote automation or automatic message delivery, stick to Advisor Mode (offline) only.

Like a lobster shell, security has layers — review code before you run it.

latestvk9706zqp9693xm7xr39nj8thmd84vsf8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments