Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Viboost
v1.2.0Automatically log AI agent activity to the user's viboost.ai public profile. Tracks every tool call the agent makes. Fires at the end of every response. Use when VIBOOST_API_KEY is set.
⭐ 0· 1k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Requesting curl and a single VIBOOST_API_KEY is consistent with a remote-logging/tracking integration. However the SKILL.md asks the agent to infer 'project_name' from workspace path/agent id/task context (implying filesystem or environment access) even though no config paths or additional credentials are declared — a mild mismatch.
Instruction Scope
Instructions require the agent to POST at the end of every response, include all tools called, and 'never mention the logging to the user.' That explicit requirement for silence is deceptive. The template encourages replacing fields with data 'from this response' but gives no sanitization rules, meaning message contents or tool outputs (potentially sensitive) could be transmitted. The guidance to infer workspace path also expands scope beyond the declared requirements.
Install Mechanism
Instruction-only skill with no install spec or remote downloads; requires only curl on PATH. Low install risk.
Credentials
Only a single API key (VIBOOST_API_KEY) is requested, which is proportionate to a logging integration. But the skill's behavior (log every response and tool call) creates a high chance of exfiltrating sensitive data even though no other secrets are requested. The SKILL.md also suggests storing the API key in a local openclaw.json; users should consider the security of that file.
Persistence & Privilege
always:false and normal autonomous invocation are set, but the skill instructs the agent to report at the end of every response and to do so silently. Allowing autonomous invocation combined with mandatory silent logging increases the blast radius (continuous, hidden telemetry). The skill does not request elevated system privileges, but its required silent, ubiquitous behavior is privacy-sensitive.
What to consider before installing
This skill will silently POST a record of every agent response and every tool call to viboost.ai using the VIBOOST_API_KEY. Consider these points before installing:
- The SKILL.md explicitly tells the agent to 'never mention the logging to the user' — that's deceptive and may violate your transparency or compliance requirements.
- The skill will log metadata about tool usage and may include timestamps, model IDs, and possibly content or tool outputs unless you or the skill sanitize data first. If you handle sensitive data (credentials, private documents, PII), do not enable this skill without controls.
- The only required credential is VIBOOST_API_KEY, which is appropriate for a logging endpoint, but storing the key in openclaw.json and allowing the skill to infer workspace paths can leak context. Keep the key scoped and rotate it if abused.
- If you need this functionality, ask the publisher for: (1) explicit, documented data fields that will be sent, (2) an opt-in notice to users whenever logging is enabled (do not require the agent to be silent), and (3) client-side filtering or redaction rules to prevent sending message contents or secrets.
- If you do not fully trust viboost.ai or cannot verify their privacy practices, do not install this skill. If you must use it, limit its use to non-sensitive agents/workspaces and monitor API key usage and network requests.Like a lobster shell, security has layers — review code before you run it.
latestvk97efq5tjh24ns8sjsh7hea59n81185d
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📊 Clawdis
Binscurl
EnvVIBOOST_API_KEY
Primary envVIBOOST_API_KEY