Skillv3.0.0

ClawScan security

Smart Model Switcher V3 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 9, 2026, 8:53 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's description claims runtime capabilities (key validation, plan detection, zero-latency switching) but the package is instruction-only, omits the scripts it references, and fails to declare the API keys/config it expects to read — these mismatches deserve caution.
Guidance: Do not install or provide API keys yet. The skill claims automated key validation, plan detection, and background scripts but the published bundle contains only documentation (no scripts or code) while still instructing you to place API keys in ~/.openclaw/openclaw.json or as environment variables. Ask the author to (1) publish the missing scripts and source code so you can inspect them, (2) update the skill metadata to declare required environment variables, and (3) provide reproducible build/install steps and signed releases (or a checked GitHub tag). If you need to test behavior, run it in a sandboxed environment and never reuse real provider keys — create limited-scope/test keys or revoke keys after testing. If the author instructs you to download scripts from external URLs, treat that as higher risk and inspect those files before running them.
Findings: [unicode-control-chars] unexpected: SKILL.md triggered a unicode-control-chars prompt-injection pattern. That is not expected for a straightforward README/instruction file and may indicate crafted content to influence evaluators or parsers. It does not by itself prove malicious intent but increases suspicion given other inconsistencies.

Review Dimensions

Purpose & Capability: concernThe README/SKILL.md describe active runtime behavior (API key validation, plan detection, connection-pool preloading, zero-latency switching, background monitor scripts). However the published package contains no executable code or scripts to implement those features (no scripts/ directory in the manifest). The skill also does not declare required credentials/config in its registry metadata despite describing multi-provider API key management. These inconsistencies mean the package as published cannot provide the claimed capabilities and may be incomplete or intentionally misleading.
Instruction Scope: concernThe SKILL.md instructs the agent/operator to read and use ~/.openclaw/openclaw.json and/or environment variables like BAILIAN_API_KEY, MINIMAX_API_KEY, GLM_API_KEY, KIMI_API_KEY and to run scripts such as ./scripts/runtime-switch.ps1 and ./scripts/auto-monitor.ps1. Those files/scripts are not present in the bundle. The instructions therefore ask the agent to access local config and secrets (reasonable for a model-switcher) but do so without declaring or packaging the code that will perform network calls — creating an ambiguity about what will actually access those secrets. The SKILL.md also contains a pre-scan prompt-injection signal (unicode-control-chars) which could indicate crafted content attempting to influence evaluators or runtime behavior.
Install Mechanism: noteNo install spec is provided (instruction-only), which minimizes direct install-time risk because nothing is written to disk by an installer. The README suggests installation via 'npx skills add' or manual git clone into OpenClaw directories; those are normal. However the README references scripts that are not included; if users follow the manual steps and then obtain scripts from elsewhere (untrusted locations) that introduces risk. Also the package's lack of code means users may download complementary components from other sources — a potential vector for supply-chain confusion.
Credentials: concernThe registry metadata lists no required environment variables or primary credential, but the documentation and SKILL.md clearly expect multiple provider API keys (BAILIAN_API_KEY, MINIMAX_API_KEY, GLM_API_KEY, KIMI_API_KEY) and a config file at ~/.openclaw/openclaw.json. Not declaring these in the skill metadata is a mismatch and a red flag: the skill will need access to sensitive API keys to function, yet that requirement wasn't declared for reviewers or users.
Persistence & Privilege: okThe skill is not always-enabled (always: false) and is user-invocable; there is no install spec that would embed persistent privileged code. Nothing in the manifest requests system-wide persistence or modifies other skills' configs. This dimension does not introduce additional privilege concerns by itself.