ClawHub

Skillboss

v1.1.0

Swiss-knife for AI agents. 50+ models for image generation, video generation, text-to-speech, speech-to-text, music, chat, web search, document parsing, emai...

1· 215·0 current·0 all-time
byPhineas@yshuolu·duplicate of @marjoriebroad/skillboss-5
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill advertises a multi-model aggregator and only requires a single SKILLBOSS_API_KEY to call https://api.heybossai.com/v1 — this is proportionate for a broker/aggregator service.
Instruction Scope
SKILL.md contains only curl examples against the heybossai API, guidance for parsing responses, and model lists. It does not instruct the agent to read unrelated files, scan system config, or exfiltrate other environment variables. Example download commands assume common CLI tools (curl, jq) but do not demand additional secrets.
Install Mechanism
No install spec or code is included (instruction-only). Nothing is downloaded or written to disk by the skill itself, so install risk is minimal.
Credentials
Only one environment variable (SKILLBOSS_API_KEY) is required and is declared as the primary credential. That matches the documented Authorization: Bearer usage and is proportionate to the skill's function.
Persistence & Privilege
The skill is not always-enabled, does not request system-wide config changes, and has no install-time persistence. Autonomous invocation is allowed (platform default) but not combined with other high-risk behaviors.
Assessment
This skill is internally coherent: it uses one API key to call a third-party broker (api.heybossai.com) which then claims to route to many model providers. Before installing: verify the service identity (publisher/site, privacy policy, and billing model), treat the SKILLBOSS_API_KEY as sensitive, and create a dedicated limited-scope key if possible. Expect that any data you send (prompts, files) will be relayed to the broker and potentially to downstream providers — avoid sending secrets or sensitive PII. Because the package has no homepage or source link, prefer additional verification (public docs, reputation) before trusting it in production. Finally, monitor usage and rotate the API key if you notice unexpected activity.

Like a lobster shell, security has layers — review code before you run it.

latestvk9729hf4mf7yt37b7ehgddbv5d82shjx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvSKILLBOSS_API_KEY
Primary envSKILLBOSS_API_KEY

Comments