Openclaw Switch
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly does what it says, but its local script builds Python commands from config values without escaping, which could let a crafted config or path execute unintended code.
This skill is mostly a local OpenClaw configuration helper, but review the script before use. Back up ~/.openclaw/openclaw.json, avoid using untrusted config files or model IDs, and prefer a patched version that does not interpolate config values into python3 -c code.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A maliciously crafted local OpenClaw config or environment value could make the helper run unintended local Python code when the user invokes it.
The script executes dynamically generated Python and inserts shell/config-derived values directly into Python string literals without escaping. A crafted OPENCLAW_CONFIG path or model ID containing quotes could alter the Python code that gets executed.
py() { python3 -c "$1" 2>/dev/null; }
...
d['agents']['defaults']['model']['primary'] = '$1'Use a reviewed version that passes values to Python via argv or environment variables and JSON-escapes data instead of interpolating it into python3 -c source.
Running the switch command can change which model future OpenClaw agents use and may immediately affect the running daemon.
The switch command persistently changes the OpenClaw primary model and restarts the daemon. This is aligned with the skill's purpose, but it is a real configuration mutation.
p.write_text(json.dumps(d, indent=2, ensure_ascii=False) + '\n') ... openclaw daemon restart 2>/dev/null || true
Run status/list first, keep a backup of openclaw.json, and only switch to models you intended to use.
The helper can read a configuration file that may include provider API keys, although the provided code does not appear to send them anywhere.
The documented OpenClaw config can contain provider API keys, and the helper reads that local JSON file. The artifacts do not show key transmission or logging, but credential-containing config access is still sensitive.
"provider-a": { "apiKey": "...", "models": [{ "id": "model-1" }] }Ensure openclaw.json has appropriate file permissions and use the helper only from a trusted local copy.
If users install by following the README instead of using the reviewed artifact, they may fetch code whose provenance is not verified by this review.
The README directs users to clone an external GitHub repository, while the registry listing says the source is unknown and there is no install spec pinning or verifying that source.
git clone https://github.com/sarahmirrand001-oss/openclaw-switch.git
Install only from a trusted source and compare the fetched script against the reviewed contents before running it.