ClawHub

Pub Caldav

Security checks across malware telemetry and agentic risk

Overview

This is presented as a CalDAV calendar skill but mainly documents a broad SkillBoss API gateway with email, SMS, scraping, and AI model actions.

Treat this as a broad SkillBoss API gateway, not a focused CalDAV calendar skill. Only install if you intentionally want one API key to enable model routing, media generation, web search/scraping, document processing, email, SMS, and OTP workflows, and require explicit user approval before sending sensitive content, contact details, calendar data, or outbound messages.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (40)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill is advertised as a CalDAV calendar tool, but the body actually exposes a broad third-party AI/API broker with capabilities far beyond calendar sync/query. This scope mismatch is dangerous because it can mislead users and reviewers into granting trust, credentials, or execution to a skill that can perform unrelated external actions and data transfers.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Documenting outbound email sending and SMS verification inside a purported calendar skill introduces communication capabilities that can be abused for spam, phishing, OTP workflows, or unauthorized user contact. Because these features are unrelated to the declared purpose, they materially expand the attack surface and reduce the likelihood that operators will apply appropriate scrutiny.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill exposes generative AI, search, scraping, document, and media-processing functions that are unrelated to CalDAV calendar operations. Even if individually legitimate, bundling them into a calendar skill creates an unjustified capability surplus that can enable unexpected data egress and misuse of privileged execution context.

Scope Creep

Medium
Confidence
85% confidence
Finding
The manifest declares only Bash and Read, yet the examples show downloading generated content and writing it to local files. This inconsistency can cause reviewers to underestimate filesystem side effects and may bypass intended expectations around write-capable behavior.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The file documents image generation and processing features that are unrelated to the declared CalDAV calendar purpose of the skill, indicating substantial scope expansion beyond user expectations. This kind of capability mismatch is dangerous because it can hide unexpected behaviors, increase attack surface, and make users or reviewers grant trust and permissions based on an inaccurate description of what the skill actually does.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The file advertises broad web search, scraping, and executive-interview retrieval features that are unrelated to the stated CalDAV calendar purpose. This capability mismatch increases the risk of hidden data exfiltration, unauthorized external access, or deceptive scope expansion because users may install a calendar skill without realizing it can also perform internet retrieval and scraping tasks.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Web scraping and CEO interview retrieval are context-inappropriate for a CalDAV calendar skill and materially broaden the skill's operational scope beyond calendar synchronization. In this context, the mismatch is more dangerous because users and reviewers may not expect external content collection features, creating opportunities for misuse, privacy issues, or covert data gathering under the guise of a calendar integration.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file advertises capabilities far beyond the stated CalDAV calendar sync/query purpose, including email, SMS, document parsing, embeddings, and presentation generation. This kind of scope mismatch is dangerous because it can hide unexpected data flows or outbound communication features that users and reviewers would not reasonably expect from a calendar skill.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Email and SMS sending are high-risk outbound communication capabilities that are not justified by a CalDAV synchronization use case. If exposed through this skill, they could be abused for spam, phishing, data exfiltration, or unauthorized notifications under the cover of a benign calendar integration.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Document parsing, embeddings, and presentation generation are unrelated to the stated calendar-sync function and expand the skill's attack surface unnecessarily. These capabilities can enable unexpected ingestion, transformation, and secondary use of user data, which increases the risk of privacy violations and hidden processing paths.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The email and SMS sections describe sending outbound communications and verification messages without warning about consent, abuse risk, delivery costs, or legal/compliance implications. This omission increases the chance of unsafe or unauthorized use, especially in a deceptively scoped calendar skill.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill omits privacy disclosures for audio, document, and search inputs that are transmitted to an external aggregator service and potentially onward to multiple providers. Users may unknowingly submit sensitive content, creating confidentiality and data-governance risks.

External Transmission

Medium
Category
Data Exfiltration
Content
## List Models

```bash
curl -s https://api.heybossai.com/v1/models \
  -H "Authorization: Bearer $SKILLBOSS_API_KEY"
```
Confidence
76% confidence
Finding
curl -s https://api.heybossai.com/v1/models \ -H "Authorization: Bearer $SKILLBOSS_API_KEY" ``` Filter by type: ```bash curl -s "https://api.heybossai.com/v1/models?types=image" \ -H "Authorizat

External Transmission

Medium
Category
Data Exfiltration
Content
## Image Generation

```bash
curl -s -X POST https://api.heybossai.com/v1/run \
  -H "Authorization: Bearer $SKILLBOSS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
79% confidence
Finding
curl -s -X POST https://api.heybossai.com/v1/run \ -H "Authorization: Bearer $SKILLBOSS_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "model": "mm/img", "inputs": {"prompt": "A

External Transmission

Medium
Category
Data Exfiltration
Content
## Video Generation

```bash
curl -s -X POST https://api.heybossai.com/v1/run \
  -H "Authorization: Bearer $SKILLBOSS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
79% confidence
Finding
curl -s -X POST https://api.heybossai.com/v1/run \ -H "Authorization: Bearer $SKILLBOSS_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "model": "mm/t2v", "inputs": {"prompt": "A

External Transmission

Medium
Category
Data Exfiltration
Content
## Text-to-Speech

```bash
curl -s -X POST https://api.heybossai.com/v1/run \
  -H "Authorization: Bearer $SKILLBOSS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
78% confidence
Finding
curl -s -X POST https://api.heybossai.com/v1/run \ -H "Authorization: Bearer $SKILLBOSS_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
## Speech-to-Text

```bash
curl -s -X POST https://api.heybossai.com/v1/run \
  -H "Authorization: Bearer $SKILLBOSS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
82% confidence
Finding
curl -s -X POST https://api.heybossai.com/v1/run \ -H "Authorization: Bearer $SKILLBOSS_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "model": "openai/whisper-1", "inputs": {"au

External Transmission

Medium
Category
Data Exfiltration
Content
## Background Removal

```bash
curl -s -X POST https://api.heybossai.com/v1/run \
  -H "Authorization: Bearer $SKILLBOSS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
78% confidence
Finding
curl -s -X POST https://api.heybossai.com/v1/run \ -H "Authorization: Bearer $SKILLBOSS_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "model": "replicate/remove-bg", "inputs": {

External Transmission

Medium
Category
Data Exfiltration
Content
## Web Search

```bash
curl -s -X POST https://api.heybossai.com/v1/run \
  -H "Authorization: Bearer $SKILLBOSS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
81% confidence
Finding
curl -s -X POST https://api.heybossai.com/v1/run \ -H "Authorization: Bearer $SKILLBOSS_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
## Email

```bash
curl -s -X POST https://api.heybossai.com/v1/run \
  -H "Authorization: Bearer $SKILLBOSS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
90% confidence
Finding
curl -s -X POST https://api.heybossai.com/v1/run \ -H "Authorization: Bearer $SKILLBOSS_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "model": "email/send", "inputs": {"to": "us

External Transmission

Medium
Category
Data Exfiltration
Content
One API key, 50+ models across providers (Bedrock, OpenAI, Vertex, ElevenLabs, Replicate, Minimax, and more). Call any model directly by ID, or use smart routing to auto-select the cheapest or highest-quality option for a task.

**Base URL:** `https://api.heybossai.com/v1`
**Auth:** `-H "Authorization: Bearer $SKILLBOSS_API_KEY"`

## List Models
Confidence
77% confidence
Finding
https://api.heybossai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
## List Models

```bash
curl -s https://api.heybossai.com/v1/models \
  -H "Authorization: Bearer $SKILLBOSS_API_KEY"
```
Confidence
76% confidence
Finding
https://api.heybossai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
Filter by type:

```bash
curl -s "https://api.heybossai.com/v1/models?types=image" \
  -H "Authorization: Bearer $SKILLBOSS_API_KEY"
```
Confidence
76% confidence
Finding
https://api.heybossai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
Get full docs for specific models:

```bash
curl -s "https://api.heybossai.com/v1/models?ids=mm/img,bedrock/claude-4-5-sonnet" \
  -H "Authorization: Bearer $SKILLBOSS_API_KEY"
```
Confidence
76% confidence
Finding
https://api.heybossai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
## Chat

```bash
curl -s -X POST https://api.heybossai.com/v1/chat/completions \
  -H "Authorization: Bearer $SKILLBOSS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
79% confidence
Finding
https://api.heybossai.com/

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal