Rotate OpenRouter Key
PassAudited by ClawScan on May 1, 2026.
Overview
This skill is coherent for rotating an OpenRouter key, but it necessarily handles API credentials and rewrites OpenClaw configuration files.
This appears safe for its stated purpose if you intend to rotate an OpenRouter key. Before running it, preview the affected files, confirm they are inside the intended OpenClaw installation, avoid exposing the key in shared logs or chat, and keep backups only as long as needed.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The new API key is used to authenticate to OpenRouter and may reveal account metadata such as label, limits, and remaining balance in local output.
The helper sends the provided OpenRouter API key to OpenRouter's auth endpoint to verify it. This is expected for the stated purpose, but it is still credential-bearing account access.
"https://openrouter.ai/api/v1/auth/key", headers={"Authorization": f"Bearer {key}", "Accept": "application/json"}Only provide the key when you intend to rotate it, verify that the endpoint is OpenRouter's real API, and avoid pasting real keys into shared logs or transcripts.
If the wrong key is supplied or too many files are updated, OpenRouter model access across the OpenClaw installation could fail until restored.
The workflow intentionally mutates multiple OpenClaw configuration files. This is purpose-aligned and scoped, but a wrong key or unintended target could affect all OpenRouter-backed agents.
Finds all config files (`.env` + JSON) containing an openrouter key ... Creates timestamped backups before each write ... Updates only the key value
Use `--find` or `--dry-run` first, review the listed paths, keep the generated backups until the new key is confirmed, and restart the gateway only after verifying the changes.
Install-time metadata may understate what the skill needs at runtime, so users relying only on metadata could miss that it handles an API key and runs a Python helper.
The registry metadata does not declare the Python/OpenClaw command usage or credential handling that the README and SKILL.md document. The behavior is disclosed in the artifacts, so this is an install-review note rather than a concern.
Required binaries (all must exist): none ... Primary credential: none
Review the included script and documentation before use, and ensure Python and the intended OpenClaw installation are available.