ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pub Banana

v1.0.0

Generate and edit images with Nano Banana Pro (Gemini 3 Pro Image). And also 50+ models for image generation, video generation, text-to-speech, speech-to-tex...

0· 221·1 current·1 all-time
by@tobeyrebecca
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description promise (image generation, editing, and many model types) matches the SKILL.md examples: all calls target an aggregator API (https://api.heybossai.com/v1) and model IDs consistent with the described providers. Requiring a single SKILLBOSS_API_KEY is appropriate for an API gateway.
Instruction Scope
SKILL.md contains concrete curl examples that only call the documented API and save returned URLs to files; it does not instruct the agent to read unrelated files, other environment variables, or system configs. Some examples show run.mjs/jq usage but the skill does not require those binaries at install time (they are sample usage).
Install Mechanism
There is no install spec and no code files to execute; the instruction-only approach minimizes disk persistence and install risk.
Credentials
Only SKILLBOSS_API_KEY is declared and used in the docs as the Authorization bearer token for the aggregator API. This is proportionate for an API-gateway skill. No other credentials, secrets, or config paths are requested.
Persistence & Privilege
The skill is not forced-always (always:false) and does not request system configuration changes or cross-skill credential access. Autonomous invocation is permitted (default) but not accompanied by elevated persistence or other privileges.
Assessment
This skill appears coherent: it simply proxies model requests to a single aggregator API that requires SKILLBOSS_API_KEY. Before installing, verify the aggregator (heybossai.com): check its documentation, reputation, and privacy/billing practices. Use a dedicated, least-privilege API key (not a high-privilege org key), restrict or rotate the key if possible, and avoid sending highly sensitive data through the aggregator until you confirm its policies. If you need stronger assurance, request the skill author's source/homepage or use a known vendor integration instead.

Like a lobster shell, security has layers — review code before you run it.

latestvk975frbsbt4q5whq6xnm12jrb182scy5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvSKILLBOSS_API_KEY
Primary envSKILLBOSS_API_KEY

Comments