Lmstudio Model Switch
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is a coherent model-switching helper, but using it can persistently change OpenClaw's active model, restart the gateway, and send future model traffic to Kimi's cloud API when API mode is selected.
This appears suitable if you intentionally want model switching. Before installing, verify the source repository, understand that switching to API mode may send future prompts to Kimi, keep backups of openclaw.json, and use local mode for secrets or sensitive work.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the switch can affect future OpenClaw sessions and may briefly interrupt the gateway.
The core workflow intentionally edits OpenClaw's persistent model configuration and restarts a local service. This is purpose-aligned, but operationally high-impact.
How It Works: "Backup" ... "Edit": Modifies "primary" model in agents.defaults ... "Restart": Restarts OpenClaw gateway service
Use the switch commands only when you intend to change providers, keep the backup, and verify the active model after switching.
If API mode is active, future model requests may leave the local machine and be handled by Kimi's service.
The skill clearly discloses a local-vs-cloud provider choice and warns users to use local mode for sensitive material. API mode implies prompts and context may be processed by the cloud provider.
"/switch-model api" | Switch to Kimi K2.5 API ... Use local when handling: Authentication tokens, Passwords or credentials, Sensitive personal data
Use local LM Studio mode for secrets, proprietary code, or personal data, and confirm which provider is active before sensitive work.
The Kimi key may carry account access and billing authority for API calls.
API mode requires a provider credential. This is expected for the stated integration, and the artifacts do not show hardcoding, logging, or unrelated use of the key.
Kimi API key configured (for API mode)
Store the API key securely, use the least-privileged key available, and monitor provider usage or billing.
Cloning a different or unverified repository could install files that were not reviewed here.
The installation instructions use a placeholder repository, while the provided review contains only SKILL.md and no runnable implementation.
git clone https://github.com/yourusername/lmstudio-model-switch ~/.openclaw/workspace/skills/lmstudio-model-switch
Install only from a trusted, specific source and inspect any cloned files before enabling the skill.