Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Lmstudio Model Switch
v0.1.0Switch AI models on-the-fly between local LM Studio and cloud Kimi API in OpenClaw with simple commands and automatic gateway restart.
⭐ 2· 226·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name and description match the instructions: it edits OpenClaw config and restarts the gateway to switch models between a local LM Studio and a Kimi cloud API. However, the README mentions a required Kimi API key but the skill metadata declares no required credentials; the install/clone URL in the README is a placeholder (https://github.com/yourusername/...), and the skill source/homepage are unknown, which reduces provenance and trust.
Instruction Scope
The SKILL.md directs the operator/agent to modify ~/.openclaw/openclaw.json (backup+edit), validate JSON, and restart the OpenClaw gateway (systemctl --user restart openclaw-gateway). It also suggests killing/restarting lmstudio (killall lmstudio; lmstudio &). These are powerful system actions that affect agent configuration and running processes. While they are coherent with the stated purpose, they grant the skill scope to change global agent behavior and stop/restart local services — worth caution.
Install Mechanism
There is no install spec and no code files (instruction-only), so nothing will automatically be downloaded or written by the platform. The README suggests cloning a GitHub repo, but the provided URL is a placeholder and not authoritative; this weak provenance is a risk if a user follows it blindly to fetch code from an unknown source.
Credentials
The documentation states 'Kimi API key configured (for API mode)' but the skill metadata lists no required environment variables or primary credential. It's unclear where/how that API key is expected to be stored (openclaw.json, env var, credential store). Additionally, modifying openclaw.json could expose or change other skills' configuration or credentials if present in that file. The requested scope (editing agent config and restarting services) is proportionate to switching models but the missing explicit credential handling is an inconsistency.
Persistence & Privilege
The skill does not request always: true and will not be force-included. It instructs changing the agent's main config file (~/.openclaw/openclaw.json) and restarting the gateway service; that is a privileged action relative to ordinary read-only skills but is functionally required to change the active model. Users should be aware this permanently alters agent configuration unless they restore from backup.
What to consider before installing
This skill is instruction-only and will ask you (or the agent) to edit your OpenClaw config and restart services. Before using it: 1) Do not run the placeholder git clone URL — verify the repository and author. 2) Inspect any code or scripts before executing them. 3) Back up ~/.openclaw/openclaw.json (the README already suggests this) and confirm where your Kimi API key is stored; the skill doesn't declare how it expects the key to be provided. 4) Be prepared that it will restart the openclaw gateway and may kill/restart local LM Studio processes — test in a safe environment first. 5) If you lack sysuser/systemctl access or are unsure what modifying agents.defaults.primary does, get an admin to review the change. If the author/publishing repo cannot be verified, avoid installing or performing the commands as-is.Like a lobster shell, security has layers — review code before you run it.
latestvk97bem141t19r2f7x1q6ksnevx82xqve
License
MIT-0
Free to use, modify, and redistribute. No attribution required.