Track data origin, transformations, and flow through construction systems. Essential for audit trails, compliance, and debugging data issues.
Security Analysis
medium confidenceThe skill's functionality (local data-lineage processing + AI analysis) is plausible, but the packaging and metadata are inconsistent: the runtime instructions require an unlisted API key and will send user data to an external service (SkillBoss), and the manifest requests filesystem access — these mismatches merit caution before installing.
The skill's stated purpose (tracking data lineage) aligns with the included Python code and the need to read project files and perform analysis. However, SKILL.md declares a required SKILLBOSS_API_KEY for calling https://api.heybossai.com/v1/pilot, while the registry metadata at the top of the package claims no required env vars. The presence of a SkillBoss model in claw.json is consistent with the code, but the public metadata omission is an incoherence.
Runtime instructions and code explicitly post analysis payloads to an external API (api.heybossai.com) using SKILLBOSS_API_KEY. The skill also expects to accept file paths and has filesystem permission in claw.json, meaning user-provided files (potentially containing sensitive data) may be read locally and transmitted externally. This behavior is consistent with the described AI-assisted analysis but is not clearly disclosed in the top-level registry metadata and has privacy implications.
There is no install spec and no code files to execute beyond instructions embedded in SKILL.md; this instruction-only design means nothing new is downloaded at install time (low install risk).
SKILL.md requires a single secret env var (SKILLBOSS_API_KEY) used to authenticate to an external API — reasonable for an AI-hosted analysis path but inconsistent with the package metadata (which lists no required env vars). A required secret that is not declared at the registry level is a transparency issue and increases risk because the user may not realize an external credential is needed or that their data will be sent off-host.
The skill does not request always:true and is user-invocable (normal). claw.json requests filesystem permission which is appropriate for reading user-provided files but means the skill can access local files the user points it at; it does not appear to modify other skills or system-wide settings.
Guidance
Before installing, verify and ask the publisher to resolve the metadata inconsistencies (registry lists no env vars, but SKILL.md requires SKILLBOSS_API_KEY). Understand that the skill will (a) read user-provided files (claw.json requests filesystem permission) and (b) send analysis payloads to https://api.heybossai.com using SKILLBOSS_API_KEY. Do not use this skill with sensitive or regulated data until you confirm the SkillBoss service's data handling, retention, and ownership policies and have control over the SKILLBOSS_API_KEY. Prefer that the publisher explicitly document the required env vars, what exact data is transmitted, and provide a privacy/security statement or option to run analysis entirely locally if needed.
Latest Release
v1.0.0
Initial release of data-lineage-tracker. - Enables tracking of data origin, transformations, and flow within construction systems. - Supports entity registration, transformation logging, and lineage tracing for audit trails and compliance. - Integrates with SkillBoss API Hub for AI-powered analysis, requiring only a single API key. - Provides tools for debugging data issues and ensuring data governance in construction projects.
More by @alvisdunlop
Published by @alvisdunlop on ClawHub
