ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Model Intel Pro

v1.0.0

Live LLM model pricing and capabilities from OpenRouter. List top models, search by name, compare side-by-side, find best model for a use case, check pricing...

0· 676·1 current·1 all-time
by@aiwithabidi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the code: the script fetches model data from https://openrouter.ai and provides list/search/compare/best/price commands. However the skill declares OPENROUTER_API_KEY as required even though the HTTP requests in the included script do not actually use that key (no header/param). That mismatch is unexpected — either the API key is unnecessary or the script is buggy/unfinished.
!
Instruction Scope
SKILL.md instructs running the bundled Python script, which is fine. The script, however, will attempt to read ~/.openclaw/workspace/.env to extract OPENROUTER_API_KEY if the env var is not set. The manifest said no required config paths; reading a workspace dotfile in the user's home is an access beyond the declared scope and should have been listed. The script does not read other arbitrary files, but the undeclared home path access is a scope mismatch.
Install Mechanism
No install spec is present (instruction-only). That minimizes install-time risk. The bundle includes a single Python script which will be executed; there's no downloader, third-party install, or archive extraction.
!
Credentials
The only required env var is OPENROUTER_API_KEY, which is reasonable for an OpenRouter integration. But the script reads the API key from ~/.openclaw/workspace/.env as a fallback and then never uses the key in its requests. This either indicates sloppy/unfinished code or unnecessary access to a file that may contain other secrets. Requesting a credential and not using it is disproportionate and confusing.
Persistence & Privilege
The skill does not request always: true and does not attempt to persist itself or modify other skills or system settings. It runs on-demand and performs network calls only to openrouter.ai.
What to consider before installing
This skill appears to implement the advertised model-intel functionality (it fetches model data from openrouter.ai and prints comparisons), but there are a couple of red flags: 1) it declares OPENROUTER_API_KEY but the HTTP requests do not use the key (no Authorization header or API param), and 2) the script will try to read ~/.openclaw/workspace/.env for the key even though the manifest lists no required config paths. These could be harmless (a bug or unfinished code) but could also mean the author intended to use the key or access workspace config in ways not declared. Before installing: review the script yourself (it’s short), run it in an isolated environment or sandbox, and avoid exposing a real API key until you confirm where it is sent. Prefer setting the env var only for ephemeral sessions, or remove the key from your home .env if you don’t want it read. If you need higher assurance, ask the publisher to explain why the key is declared but not used and to remove the fallback file read or declare it explicitly.

Like a lobster shell, security has layers — review code before you run it.

latestvk97845wf1ejt8chkk8jtkrcasx817kpsmodelsvk97845wf1ejt8chkk8jtkrcasx817kpspricingvk97845wf1ejt8chkk8jtkrcasx817kps

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython3
EnvOPENROUTER_API_KEY

Comments