Free AI Bot
Security checks across malware telemetry and agentic risk
Overview
This skill appears purpose-aligned and benign, but it can route prompts to cloud AI providers using optional API tokens and has minor dependency metadata gaps.
This looks safe to review/install for its stated purpose if you are comfortable with cloud fallback. For local-only privacy, force the Ollama provider; for cloud use, use limited-scope API tokens and verify Python dependencies from trusted sources.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private prompt text may be sent to Cloudflare or Groq if auto routing falls back to a cloud provider.
The documented default routing can move prompts from a local model to external cloud AI providers after fallback; this is disclosed and purpose-aligned, but it changes the data boundary.
1. 优先本地模型(最快/免费) ↓ 失败 2. Cloudflare Workers AI(稳定) ↓ 失败 3. Groq(推理快)
Use --provider ollama for local-only use, and avoid sending confidential prompts to cloud providers unless that is acceptable.
Overly broad or exposed API tokens could allow unintended use of the linked provider accounts or quotas.
The skill uses optional provider API credentials for Cloudflare and Groq access; this is expected for the integration, but the tokens should still be treated as sensitive account credentials.
export CF_ACCOUNT_ID=your_account_id export CF_API_TOKEN=your_token export GROQ_API_KEY=your_key
Use least-privilege provider tokens where possible, keep them out of logs and shared shells, and revoke them if they are no longer needed.
Users may need to install missing Python dependencies manually, which can create avoidable provenance or version-management risk.
The script depends on the Python requests package, while the provided registry requirements list curl and there is no install spec; this is an under-declared dependency rather than evidence of malicious behavior.
import requests
Install dependencies only from trusted package sources, and prefer that the skill metadata or documentation explicitly declare Python and requests requirements.