ClawHub

Skillboss

Security checks across malware telemetry and agentic risk

Overview

The skill broadly matches its advertised AI/deployment gateway purpose, but it needs review because it can handle credentials, deploy code, send messages, upload environment data, and attempt update behavior with limited confirmation.

Install only if you trust SkillBoss/HeyBoss with the prompts, files, documents, phone numbers, email recipients, deployment source, and configuration you send through it. Before using deployment commands, remove secrets from .env and wrangler.toml vars unless you intentionally want them sent to the build service. Treat the API key as a server-side secret, avoid committing config.json, and review any update prompt or local update script before allowing it to run.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (25)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares only Bash and Read, but the documented behavior clearly relies on network access and use of stored credentials. This creates a permissions/transparency gap: users and supervising systems may not realize the skill can reach external services and use local secrets, reducing informed consent and weakening policy enforcement.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill description frames the tool as a general app/AI gateway, but the body adds mandatory version checks, automatic self-update via shell script execution, and broader commerce/product-management behavior not clearly surfaced upfront. Hidden or under-declared behaviors are dangerous because they can cause unreviewed code execution and external communication beyond what a user reasonably expected when invoking the skill.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The CLI performs a network version check and then automatically executes a local shell script to update itself after ordinary command execution, without explicit user confirmation. In an agent or CI environment, this creates a software supply chain risk: a compromised update endpoint, tampered local update script, or unexpected invocation context could cause arbitrary code execution and filesystem changes outside the skill's stated API-gateway function.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation guidance is extremely broad, covering a large swath of common web, AI, auth, payments, scraping, and document tasks. Over-broad invocation criteria increase the chance the skill is triggered in inappropriate contexts, expanding exposure to credential use, network calls, deployment actions, and other side effects.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The instruction 'Any AI task -> Use pilot' is too generic to be a safe routing boundary. It encourages this skill to intercept an enormous range of requests, including cases where its network access, credential handling, or auto-execution behavior would be unnecessary or risky.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The guidance tells developers how to send prompts, files, and other user content to a third-party API but does not warn that this transfers potentially sensitive user data off-platform. In a skill meant to help build production apps, this omission can lead to privacy violations, inadequate consent, and unsafe handling of regulated or confidential data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The SMS verification examples process phone numbers and OTP-related flows but provide no notice that this is personal data sent to an external provider. That omission increases the chance developers will deploy identity and contact-data workflows without proper disclosure, consent, retention controls, or abuse protections.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document-processing examples send document URLs to an external parsing/extraction service without warning that the referenced documents may contain sensitive or proprietary information. This can cause developers to unknowingly expose confidential files, customer records, or regulated documents to third-party processing.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The command reference documents actions that can send data to third-party services, send emails/SMS, scrape external sites, process remote documents, and deploy to live infrastructure, but it does not warn users about outbound data transfer, billing, privacy, or production side effects. In a multi-AI gateway and deployment skill, this increases the chance that an agent or user will invoke high-impact commands with real data or against live services without informed consent or environment checks.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation explicitly supports transmitting sensitive personal data such as phone numbers, IP addresses, device IDs, email addresses, and uploaded content to third-party services, but it does not provide any privacy notice, consent guidance, data-minimization advice, or warnings about external disclosure. In a multi-AI gateway skill, this increases the risk that downstream agents or users will send regulated or sensitive data off-platform without understanding where it goes or what compliance obligations apply.

Missing User Warnings

High
Confidence
98% confidence
Finding
The code automatically runs a shell script after a network-based version check, with no prior warning or confirmation during normal CLI use. That behavior is especially dangerous in a multi-provider API skill because it is unrelated to serving API requests and introduces silent local code execution and mutation, which can be abused in developer workstations, CI runners, or agent sandboxes.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The help output for common commands does not clearly warn that successful execution may trigger an automatic update that modifies local files. Hidden self-modification reduces informed consent and makes the more serious auto-update execution path harder for users and operators to detect or govern.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The function downloads arbitrary remote content and writes it directly to a user-specified path with fs.writeFileSync, without validating the destination, warning about overwrite, or constraining the source URL. If the upstream API returns an attacker-controlled URL or is compromised, this can overwrite local files or place malicious content in sensitive locations chosen by the caller.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code automatically fetches a URL returned by the upstream `/run` API and writes the response body to a local file without validating the destination host, scheme, size, or content type. If the upstream service, model output, or a connected provider is compromised or attacker-influenced, this creates an SSRF-style outbound request primitive and untrusted file download/write behavior that can reach internal resources or store malicious content locally.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code auto-provisions an API token from a remote service and persists it into the local project config.json without explicit user confirmation. Writing secrets into a project-local file can expose the token through source control, shared workspaces, backups, or other tooling that reads repository files, especially because this path is less protected than the user-scoped credentials file.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The worker file collection logic explicitly includes `.env` while skipping other hidden files, and later uploads all collected files to the remote build service. `.env` commonly contains API keys, database credentials, and tokens, so silently transmitting it off-host can expose secrets to the service, logs, intermediaries, or anyone with access to the deployed project metadata.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script automatically parses `wrangler.toml` and copies `vars` into `bindings.vars`, which are then sent to the remote `/upload-worker` API without an explicit warning. Although `vars` may be intended for non-secret configuration, in practice developers often place sensitive values there, so this behavior can leak environment data to the build service unexpectedly.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The instruction to read and follow a workflow whenever a user requests a matching task is broad and lacks safety gating for high-impact operations. In this skill context, common requests like building a site, integrating login, or sending emails could trigger workflows that perform deployment or outbound actions without an explicit confirmation or risk review step.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The workflow list includes impactful capabilities such as building and deploying websites and sending batch marketing emails, but the document presents them as routine tasks without warning about operational, financial, or compliance risk. In a multi-AI gateway skill with deployment, auth, and payment features, omission of such warnings increases the chance that an agent will initiate sensitive actions too casually.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The workflow instructs the agent to send user-provided script text and video prompts to external TTS and video generation providers, but it does not require any notice, consent, or data-minimization step before transmission. This creates a real privacy and compliance risk because users may provide sensitive business, personal, or copyrighted content that is silently disclosed to third-party model APIs.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The workflow explicitly asks for recipient emails and personalization data, but provides no guidance on consent, lawful basis, minimization, storage/retention, or handling of PII. In a skill designed to send marketing emails, this omission can lead users to transmit and process personal data in ways that violate privacy requirements or internal data-handling rules.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README gives ready-to-run commands for test and batch email sending without clearly warning that campaign content, recipient addresses, and personalization variables are being sent to an external service. This increases the chance of accidental disclosure of customer data or unauthorized bulk messaging, especially because the skill is a multi-service gateway intended to operationalize sending quickly.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The workflow sends the full podcast script text to external TTS providers, but it does not warn users that potentially sensitive or proprietary content will leave the local environment. In a multi-AI gateway context, users may reasonably process internal documents or private material, so silent transmission to third-party services creates a real confidentiality and compliance risk.

Credential Access

High
Category
Privilege Escalation
Content
**Base URL:** `https://api.heybossai.com/v1`
**Auth:** `Authorization: Bearer <your-api-key>`
**API Key:** Read from `~/.config/skillboss/credentials.json` -> `api_key` field, or `skillboss/config.json` -> `apiKey` field

## Code Examples (TypeScript/JavaScript)
Confidence
95% confidence
Finding
credentials.json

Credential Access

High
Category
Privilege Escalation
Content
## Setup Steps

1. Run `./scripts/skillboss auth trial` or `./scripts/skillboss auth login` to get an API key
2. The key is auto-saved to `~/.config/skillboss/credentials.json` and `config.json`
3. Use the code patterns above, adjusting for your specific model
Confidence
91% confidence
Finding
credentials.json

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal