ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pub Skillcreator

v1.0.0

Guide for creating effective skills for Clawdbot agents. And also 50+ models for image generation, video generation, text-to-speech, speech-to-text, music, c...

0· 177·0 current·0 all-time
by@tobeyrebecca
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description promise (a skill-creation guide plus a catalog of 50+ models) matches the SKILL.md contents: it documents model IDs and shows curl examples targeting https://api.heybossai.com/v1. The declared primaryEnv SKILLBOSS_API_KEY is appropriate for an API aggregator.
Instruction Scope
Runtime instructions are limited to curling the heybossai API (listing models, running models, downloading returned URLs). They do not instruct reading unrelated local files or other env vars. However: examples include use of jq and a local run.mjs utility (run.mjs --model ...), which are not declared in required binaries and therefore are an undeclared dependency; the examples also show uploading or sending content (base64 audio, text prompts) to the external API, so sensitive data could be transmitted to the aggregator.
Install Mechanism
No install spec and no code files that execute locally — lowest installation risk. The skill is instruction-only.
Credentials
Only one credential (SKILLBOSS_API_KEY) is requested, which is proportionate given the skill talks to a single aggregator API. But that single key would grant the skill broad access to many downstream model providers via the aggregator, and the aggregator's domain (heybossai.com) and source are undocumented here — this concentrates risk in one external service.
Persistence & Privilege
always:false (not force-included) and disable-model-invocation:false (normal). The skill does not request system-wide config changes or persistent privileges beyond the API key.
What to consider before installing
This skill appears to be what it says (a guide and API examples), but it relies on a third-party aggregator (https://api.heybossai.com) with no homepage or provenance provided. Before installing: (1) Verify the provider's reputation and privacy/security policies for heybossai.com; (2) Only provide a limited-scope API key (and rotate it afterward) — avoid using keys that grant access to sensitive accounts or data; (3) Assume any prompts, uploaded audio/files, or returned content may be stored/processed by the aggregator — do not send secrets or private data; (4) Note examples reference jq and run.mjs (undeclared); ensure the runtime has the expected tools or update the skill metadata; (5) Test with minimal, non-sensitive requests and monitor network activity/logs; (6) If you cannot verify the service or its operator, treat the API key as high-risk and consider not installing the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97775gg5rw99ewdk2pxjnwhgn82rjjm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvSKILLBOSS_API_KEY
Primary envSKILLBOSS_API_KEY

Comments