Provider Sync
ReviewAudited by ClawScan on May 1, 2026.
Overview
This skill is coherent for syncing provider models, but it can edit OpenClaw configuration, prune model menu entries, use provider API keys, and cache provider data locally.
Install only if you want this skill to update OpenClaw provider model configuration. Start with dry-run, review any model additions/removals and agents.defaults.models pruning, keep backups, and provide API keys only in private trusted chats.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running apply can change the models OpenClaw uses across one or all providers.
The skill can apply changes to the OpenClaw configuration, including all providers. This is purpose-aligned and disclosed, with dry-run and backup guidance, but it is still a high-impact configuration change.
应用(会备份;仍建议先预览): - `/provider_sync provider=all mode=apply`
Run dry-run first, inspect the diff, and only use provider=all mode=apply when you intend to update every provider.
Some model menu entries may disappear after applying a sync.
The default behavior can remove model aliases/menu entries when upstream models are missing. This is disclosed and has an opt-out flag, but a bad upstream list or mistaken apply could affect agent model selection.
默认会 prune `agents.defaults.models`(删除该 provider 下“上游不存在”的条目)
Check the dry-run summary for pruned entries and use --no-prune-agent-aliases if you want to preserve existing aliases.
A provider API key entered into chat or config could grant access to that provider account.
The skill may receive a provider API key when adding a provider. This is expected for provider integration and the instructions advise private chat use, but it is still credential handling.
`/provider_sync add providerId=<id> baseUrl=<.../v1> apiKey=<可选>`
Only provide API keys in a private trusted context, avoid sharing transcripts containing keys, and rotate any key accidentally exposed.
Recently fetched provider data may be reused from local cache, which could preserve stale or incorrect model information briefly.
The script uses a local cache for fetched provider JSON. The shown code redacts secret-like fields and chmods cache files, but cached upstream model data can still influence later sync results while fresh.
cache_dir: str = "~/.cache/openclaw/provider-sync"
Use dry-run to review cached results, clear the provider-sync cache if provider data looks wrong, and avoid putting secrets in endpoint URLs.
It may be harder to confirm exactly which packaged version is installed.
The provided registry metadata lists version 2.1.5, while the packaged _meta.json says 2.1.3. This does not show malicious behavior, but it weakens provenance/version clarity.
"version": "2.1.3"
Verify the skill package/version from a trusted registry entry before installing or updating.