ClawHub

Skillboss

Security checks across malware telemetry and agentic risk

Overview

This skill is transparent documentation for an AI API gateway, but it includes real email and SMS/OTP sending capabilities without clear approval or recipient-safety guidance.

Install only if you trust SkillBoss/HeyBossAI and its downstream providers with the data you send. Use a limited API key if available, set spending or feature limits, and require manual approval before any email, batch email, SMS notification, batch SMS, or OTP action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill documents an email-sending capability that can transmit data to arbitrary external recipients, but it does not warn the user that invoking this feature will send real outbound messages. In an agent setting, this increases the risk of unintended data disclosure, spam, or unauthorized communications if the tool is used without explicit user confirmation and recipient validation.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The SMS verification examples send OTPs to real phone numbers but provide no warning that these actions trigger real-world outbound messages. In an autonomous or semi-autonomous agent workflow, this can lead to unwanted SMS traffic, abuse of third-party numbers, or accidental harassment/cost incurrence if numbers are not verified and user-approved.

External Transmission

Medium
Category
Data Exfiltration
Content
## Email

```bash
curl -s -X POST https://api.heybossai.com/v1/run \
  -H "Authorization: Bearer $SKILLBOSS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
95% confidence
Finding
curl -s -X POST https://api.heybossai.com/v1/run \ -H "Authorization: Bearer $SKILLBOSS_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "model": "email/send", "inputs": {"to": "us

External Transmission

Medium
Category
Data Exfiltration
Content
## Email

```bash
curl -s -X POST https://api.heybossai.com/v1/run \
  -H "Authorization: Bearer $SKILLBOSS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
95% confidence
Finding
https://api.heybossai.com/

External Transmission

Medium
Category
Data Exfiltration
Content
Send OTP:

```bash
curl -s -X POST https://api.heybossai.com/v1/run \
  -H "Authorization: Bearer $SKILLBOSS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
95% confidence
Finding
https://api.heybossai.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal