ClawHub

Free Ride 1.0.5

Security checks across malware telemetry and agentic risk

Overview

FreeRide appears to do what it claims, but it can change OpenClaw's persistent model configuration and handle an API key with weak consent and safety boundaries.

Install only if you intend to let this skill change OpenClaw's default model and fallbacks. Avoid printing your API key, back up ~/.openclaw/openclaw.json before running mutating commands, and run freeride-watcher --daemon only if you want ongoing OpenRouter checks and automatic model rotation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill instructs access to environment variables, reads and writes OpenClaw configuration, and relies on network access to OpenRouter, but it does not declare those capabilities. Missing permission declarations reduce transparency and prevent users or hosting systems from understanding the actual trust boundary before execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The documented purpose focuses on configuring free models, but the content also advertises a watcher/daemon that continuously monitors model health, sends active test requests, persists state, and can automatically rotate configuration over time. That is a materially broader behavior set than simple one-time configuration, and it increases the chance of unexpected background execution, network activity, and config changes beyond what a user may have consented to.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly instructs users to place a live OpenRouter API key into shell environment variables or persistent OpenClaw configuration, but gives no guidance on secret hygiene, file permissions, redaction, or avoiding committing config files. In a skill that edits local agent configuration and is likely used by less experienced users, this increases the risk of credential leakage through shell history, dotfiles, screenshots, backups, or source control.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The description uses broad activation phrases like mentions of free AI, OpenRouter, model switching, rate limits, or reducing costs, which could match ordinary conversation and cause the skill to be invoked in cases where the user did not intend configuration changes. In this context, accidental invocation is more dangerous because the skill modifies local config and recommends restarting the gateway.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow directs modifying ~/.openclaw/openclaw.json and restarting the OpenClaw gateway, but it does not present an explicit warning or confirmation step about these side effects. Restarting a gateway and altering model configuration can interrupt active sessions, change routing behavior, and overwrite user expectations even if some fields are preserved.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill persistently rewrites ~/.openclaw/openclaw.json without any confirmation, backup, atomic write, or integrity checks. In an agent setting, this can silently alter model routing and auth-related behavior, causing denial of service, unexpected provider usage, or loss of existing configuration if the file is malformed or partially overwritten.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The manifest exposes multiple generic command triggers such as "list", "switch", "auto", and "status" without namespacing or invocation constraints. In an agent ecosystem, broad triggers can cause accidental or adversarial invocation when user text casually contains these common words, leading the skill to run in contexts the user did not intend and potentially modify OpenClaw configuration or consume API-backed resources.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal