ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenRouter Vision Agent

v1.0.1

Analyze images using OpenRouter's vision API with x-ai/grok-4.1-fast. Requires OPENROUTER_API_KEY env var or user-provided key. Use when the user asks to des...

0· 36·0 current·0 all-time
by@gawainchin
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md clearly requires an OPENROUTER_API_KEY and describes sending images to https://openrouter.ai, which is coherent with the name/description. However, the registry metadata lists no required env vars or primary credential. That mismatch (manifest says no env required while runtime instructions require an API key) is an incoherence that should be resolved before trusting the skill.
Instruction Scope
The runtime instructions are narrowly scoped to calling the OpenRouter chat completions endpoint with a model and an image_url payload. They explicitly instruct that images (or URLs) are uploaded to openrouter.ai and warn not to send sensitive images. The instructions do not reference unrelated files, credentials, or system paths.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. That minimizes filesystem risk; nothing is downloaded or installed by the skill itself.
!
Credentials
The SKILL.md requires a single credential (OPENROUTER_API_KEY) which is appropriate for an API-calling vision skill. However, the registry metadata did not declare this required env var or a primary credential. That discrepancy is concerning because the platform-level manifest should list credentials the skill needs so users and controls can evaluate and protect them.
Persistence & Privilege
The skill is not always-enabled and does not request elevated persistence. It is user-invocable and allowed to run autonomously by default (normal for skills), and there is no indication it modifies other skills or system-wide settings.
What to consider before installing
This skill appears to do what it claims (call OpenRouter's vision model) but the registry metadata omits the required OPENROUTER_API_KEY — a clear mismatch. Before installing or providing an API key: (1) Confirm the skill's source and author; prefer skills with a verifiable homepage or source repo. (2) Do not send sensitive/private images — the skill sends images and URLs to openrouter.ai. (3) If you must provide an API key, create a scoped or limited key and be ready to revoke it; never reuse high-privilege or long-lived secrets. (4) Ask the publisher to update the manifest to declare OPENROUTER_API_KEY in requires.env (so platform tooling can enforce least privilege). (5) Test with non-sensitive images first and monitor usage/quotas on your OpenRouter account. If you cannot verify the skill's origin or the manifest is not fixed, avoid supplying secrets or installing it.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ene5b4s71wcjwjhthzcs6rn853f5r
36downloads
0stars
2versions
Updated 23h ago
v1.0.1
MIT-0
@gawainchin
latest
Download

OpenRouter Vision Agent

Analyzes images via OpenRouter using x-ai/grok-4.1-fast.

API Details

  • Model: x-ai/grok-4.1-fast
  • Endpoint: https://openrouter.ai/api/v1/chat/completions
  • Auth: OPENROUTER_API_KEY env var — required
  • Max Tokens: 500–2000 (adjust depending on needed detail)

Image Analysis

Via curl

curl -s https://openrouter.ai/api/v1/chat/completions \
  -H "Authorization: Bearer $OPENROUTER_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "model": "x-ai/grok-4.1-fast",
    "max_tokens": 800,
    "messages": [{
      "role": "user",
      "content": [
        {"type": "text", "text": "<prompt>"},
        {"type": "image_url", "image_url": {"url": "<image_url>"}}
      ]
    }]
  }'

Parameters

FieldValue
modelx-ai/grok-4.1-fast
messages[].content[].typetext + image_url
image_url.urlDirect image URL (http/https)
max_tokens500–2000

Output

Parse choices[0].message.content from the JSON response.

Notes

  • Credential required: OPENROUTER_API_KEY env var must be set. If not available, ask the user for their OpenRouter API key before proceeding.
  • Privacy: Images (including URLs and uploaded files) are sent to openrouter.ai. Do not use this skill with sensitive or private images.
  • Image URLs must be publicly accessible HTTP/HTTPS URLs
  • Supports JPEG, PNG, WebP, and other common formats
  • For local files, upload to a public URL first

Comments

Loading comments...