Model Intel
v1.0.0Live LLM model intelligence and pricing from OpenRouter
⭐ 0· 607·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the implementation: the script calls openrouter.ai to list/search/compare models and pricing. However, SKILL.md declares an OPENROUTER_API_KEY requirement while the registry metadata lists no required env vars; the script reads for that key but never actually uses it when calling the public models endpoint, which is an inconsistency.
Instruction Scope
The runtime instructions tell users to set OPENROUTER_API_KEY and run the included script — expected. The script, though, attempts to read ~/.openclaw/workspace/.env to extract OPENROUTER_API_KEY if not present in the environment. Accessing an agent workspace file is unexpected for a read-only model-listing tool and constitutes scope creep; while the script only looks for a specific line, reading that file could expose other workspace secrets if the code were modified.
Install Mechanism
No install spec is provided (instruction-only plus a single Python script). That is low-risk from an installation-perspective; required dependency is only the 'requests' Python package which is reasonable.
Credentials
SKILL.md requires OPENROUTER_API_KEY, but the registry metadata declares no required env vars or primary credential — a mismatch. The script's fallback to read the workspace .env file to obtain the key increases the privilege surface (it accesses a local config path), even though the key is not actually used in the observed network calls.
Persistence & Privilege
The skill does not request permanent presence (always:false), does not modify other skills or system settings, and does not persist credentials beyond reading the workspace file — no elevated persistence or privilege is requested.
What to consider before installing
This skill largely does what it says (fetches model listings from openrouter.ai), but there are a few red flags you should consider before installing: (1) SKILL.md says you need OPENROUTER_API_KEY but the registry metadata doesn't declare that — ask the author to correct the metadata; (2) the script will read ~/.openclaw/workspace/.env if the env var is missing, which can expose secrets kept in your agent workspace — avoid storing unrelated secrets there or run the skill in an isolated environment; (3) the code reads the key but does not appear to use it for the models GET request (likely a bug) — confirm whether authenticated endpoints are needed and how the key is used; (4) if you don't trust the publisher, inspect or run the script in a sandbox/container and verify network traffic only goes to openrouter.ai. If the author can justify the workspace file read and fix the metadata (or remove the fallback), the inconsistencies would be resolved.Like a lobster shell, security has layers — review code before you run it.
latestvk971s9yfvga0yyem6f8g349pex816v76llmvk971s9yfvga0yyem6f8g349pex816v76modelsvk971s9yfvga0yyem6f8g349pex816v76openroutervk971s9yfvga0yyem6f8g349pex816v76pricingvk971s9yfvga0yyem6f8g349pex816v76
License
MIT-0
Free to use, modify, and redistribute. No attribution required.