Back to skill
Skillv1.0.0
ClawScan security
Skillboss · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 6:27 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it is a Node-based client that sends prompts to a single external API (heybossai.com) using a single SKILLBOSS_API_KEY credential, which matches its stated purpose as a multi-model gateway.
- Guidance
- This skill is a thin Node client that forwards your prompts and the SKILLBOSS_API_KEY to an external service (api.heybossai.com). Before installing: (1) Verify you trust the operator/service (owner is unknown and no homepage is listed in registry metadata). (2) Do not send secrets or sensitive data in prompts — the API and your key will be transmitted to a third party. (3) You may want to confirm that the SKILL.md domain for obtaining keys (skillboss.co) corresponds to the API domain (heybossai.com). If you are comfortable trusting that service and exposing prompts/API key to it, the skill's requests and behavior are coherent with its stated purpose.
Review Dimensions
- Purpose & Capability
- okName/description (Multi-AI gateway) matches the included code and runtime instructions: the script lists models, runs models, and auto-selects 'tasks' by POSTing to heybossai.com. Required binary (node) and a single API key are appropriate. Minor note: SKILL.md points users to https://www.skillboss.co for keys while the client talks to https://api.heybossai.com — this is plausible (brand vs API host) but worth verifying if you require strict provenance.
- Instruction Scope
- noteSKILL.md instructs running the included Node script; the script only reads SKILLBOSS_API_KEY and command-line args and sends them to the remote API. It does not read other files, environment variables, or system paths. It will send prompts (and thus any sensitive text you include) to the external service — expected for this skill but a privacy consideration.
- Install Mechanism
- okNo install spec is provided (instruction-only install), and the package includes a single run.mjs script. No downloads from third‑party URLs or archive extraction occur. Requiring Node on PATH is reasonable.
- Credentials
- okOnly one environment variable (SKILLBOSS_API_KEY) is required and is used as the API credential in requests. That is proportionate for a remote API client. Note: the key is sent in request JSON (api_key) to the remote host, so the key will be visible to that service.
- Persistence & Privilege
- okThe skill does not request persistent installation privileges, does not set always:true, and does not modify other skills or system config. It can be invoked autonomously (platform default), which is expected for skills.