ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Rotate OpenRouter Key

v1.0.0

Safely rotate the OpenRouter API key across all config files in an OpenClaw installation. Finds every location where the key is stored, updates them, restart...

0· 527·0 current·0 all-time
byChunhua Liao@chunhualiao
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (rotate OpenRouter key) align with the included SKILL.md and the helper script. The code searches ~/.openclaw (or OPENCLAW_DIR), updates .env and JSON provider apiKey fields, creates backups, and verifies via openrouter.ai—all consistent with the declared purpose. No unrelated credentials, binaries, or services are requested.
Instruction Scope
SKILL.md limits actions to finding/updating keys under ~/.openclaw, restarting the gateway, and optionally repeating via SSH on remote hosts. The instructions ask the user for the new key and recommend dry-run and verification steps. One minor operational note: the skill asks the user to provide the new key (sensitive secret) but does not mention safe handling/logging of that secret; the script prints key previews and creates backups that will contain secret material.
Install Mechanism
Instruction-only skill with an included Python script; no install spec or external downloads. Risk is limited to the script writing backups and temp files in-place (.bak.<timestamp>, .tmp) which will contain secrets. This is expected for the task but users should be aware backups hold old keys and remain on disk until removed.
Credentials
No required environment variables or credentials are declared; the script optionally reads OPENCLAW_DIR which is reasonable. The script contacts https://openrouter.ai to verify keys (expected). Potential concern: local backup and temp files will contain keys and the tool prints partial key previews; these are proportional but sensitive—users should ensure appropriate filesystem permissions and cleanup of backups.
Persistence & Privilege
Skill is user-invocable, always:false, and does not request permanent agent-level privileges or modify other skills. It performs disk writes only to OpenClaw config files and creates backups; gateway restart is an expected operational step. No suspicious elevation of privilege or persistence is requested.
Assessment
This skill appears to do exactly what it claims. Before running it: (1) Review the included script yourself (it's bundled and readable). (2) Run with --dry-run to see what would change, then --verify to ensure the new key is valid before writing. (3) Be aware the script creates timestamped backups and temporary files in the same directories; these backups will contain old API keys—delete or securely store them after rotation. (4) Do not paste secrets into public chat; provide the new key only through a secure channel and avoid long-term storage in chat logs. (5) If you manage remote hosts, the skill's SSH instructions require you to run the script there or copy it over; ensure SSH access is secure. (6) After successful rotation and verification, disable the old key at openrouter.ai. If you want extra assurance, run the script on a test system or inspect/modify it to upload backups to a secure vault rather than leaving them on disk.

Like a lobster shell, security has layers — review code before you run it.

latestvk973ansm1x7cdfrd159aj97x1181jb8g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments