Model Switchboard
v3.0.0Safely configure OpenClaw AI models by validating roles, autoloading backups, blocking unsafe changes, and managing via CLI or Canvas UI.
⭐ 0· 318·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description match the code and SKILL.md: the bundle contains a validation engine, CLI wrapper, redundancy generator, UI, model registry and setup script. Files access the OpenClaw config (~/.openclaw/openclaw.json) and provider auth artifacts — expected for a model-management tool. No unrelated cloud creds or unrelated binaries are requested.
Instruction Scope
SKILL.md confines runtime actions to model validation, backups, uses the OpenClaw CLI and the provided switchboard.sh/ui. It explicitly forbids direct editing of openclaw.json and prescribes dry-runs and confirmations. The SKILL.md does suggest editing model-registry.json to add new models (this changes the skill bundle's data), which is within the tool's domain but worth noting as it requires modifying shipped files.
Install Mechanism
No install spec / no external downloads. This is instruction-first with bundled scripts (Python + Bash + HTML). That lowers install-time risk compared to fetching remote archives. No evidence of remote code pulls or unusual installers in included files.
Credentials
The skill itself declares no required env vars; at runtime it conditionally reads provider API keys and OpenClaw auth files (ANTHROPIC_API_KEY, OPENAI_API_KEY, ~/.openclaw/auth/*) to detect available providers — this is proportional to model/provider discovery and redundancy features. It does read/write the user's OpenClaw config and creates backups under ~/.openclaw — expected for this purpose.
Persistence & Privilege
No 'always: true' privilege. The skill reads/writes user-level config (~/.openclaw/openclaw.json and backups) and runs a UI server locally; these are appropriate for a model-management tool. It does not request system-wide privileges or modify other skills' configs in the provided excerpts.
Scan Findings in Context
[H-1_XSS_innerHTML] unexpected: Audit found severe XSS in ui/index.html where innerHTML was used with an inadequate esc() function; the CHANGELOG claims this was fixed (replaced with safe DOM APIs). A UI that renders model/provider names must be XSS-safe; if fixes are present this finding should be resolved — verify the UI uses textContent/createElement and no inline onclick string interpolation before deployment.
[H-2_Shell_injection_import_config] unexpected: Audit reported shell interpolation of a CLI argument into inline Python (import_config) enabling code injection. The CHANGELOG claims the pattern was replaced by passing file paths via environment variables. Confirm switchboard.sh's import path uses environment-variable passing (SWITCHBOARD_IMPORT_FILE) rather than direct shell interpolation before trusting imports.
[M-1_Cron_model_validation_missing] unexpected: Audit flagged absence of cron-job model validation. The SKILL.md and CHANGELOG claim a new validate-cron-models command was added. This validation is important for the tool's safety guarantees; confirm the validate-cron-models implementation is present and exercised (unit/functional test) if you rely on automated cron validation.
[M-3_Backup_pruning_race] unexpected: Audit pointed out a race in backup pruning (ls/tail/xargs rm). CHANGELOG says flock-based locking was added. Backups and rollback are central to the tool's promise; verify locking exists in the live switchboard.sh and test concurrent operations.
Assessment
This skill appears coherent and appropriate for managing OpenClaw models: it only needs access to your OpenClaw config and any provider API keys you already use, and it implements validation, backups and a UI. However, the included security audit flagged two HIGH issues (XSS in the UI and a shell-injection vector in the import flow). The changelog states those issues were fixed, but some files in the submission were truncated so I could not fully verify every fix. Before installing or enabling this skill in production: 1) Inspect switchboard.sh (import_config) to ensure file paths are passed via environment variables (no unescaped shell interpolation). 2) Open ui/index.html and confirm user/model strings are rendered using textContent/createElement (no innerHTML with unescaped values or inline onclick string interpolation). 3) Run the tool in a non-production environment, exercise import/export and UI flows, and confirm backups and rollback work as advertised. 4) If you must trust it in production, run a local security test (attempt model names with special characters, simulate concurrent operations) and ensure backup directory permissions and lockfiles are present. If you want, I can (a) search the provided switchboard.sh and ui files for the exact patterns and report lines that still look risky, or (b) provide a short checklist of commands/tests to run to validate the fixes on your machine.Like a lobster shell, security has layers — review code before you run it.
latestvk97bh8zb65xkyqyw12hmkk1f1h81xfap
License
MIT-0
Free to use, modify, and redistribute. No attribution required.