ClawAPI
ReviewAudited by ClawScan on May 10, 2026.
Overview
ClawAPI is coherent for a local model/key manager, but installing it means trusting an external macOS app that will store API keys and edit OpenClaw configuration.
Install only if you trust the publisher and GitHub release source. Review the installer or use the release download, understand that API keys will be copied into OpenClaw's auth-profiles.json, and use revocable provider keys where possible.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Provider API keys may grant paid API access or account-level capabilities, and a local copy in auth-profiles.json could be exposed if the local machine or OpenClaw config is compromised.
The skill intentionally handles provider API keys and stores a usable copy in OpenClaw's local auth profile. This is purpose-aligned, but it is high-impact credential handling.
API keys are managed in **two places** by design: ... **macOS Keychain (master copy)** ... **`auth-profiles.json` (sync copy for OpenClaw)** ... ClawAPI writes a copy of the key there so OpenClaw can use it.
Use limited-scope/revocable provider keys where possible, understand that keys are copied into OpenClaw config, and revoke keys if you uninstall or stop trusting the app.
Running the installer means trusting the GitHub repository, release artifact, and publisher with local app installation and later API-key handling.
The documented installer executes a remote GitHub-hosted shell script that downloads and installs an external macOS app. The docs say it verifies a checksum and recommend reviewing the script, but the installer/app code is not included in the provided artifacts.
curl -fsSL https://raw.githubusercontent.com/Gogo6969/clawapi/main/install.sh | bash
Prefer the GitHub Releases download if you do not want to run a remote shell pipeline, review the install script before running it, and verify release signatures/checksums where available.
A mistaken or unwanted model switch could affect which provider OpenClaw uses, potentially changing cost, latency, or data routing for future OpenClaw requests.
The app changes OpenClaw configuration that controls future model/provider use. This is the core feature and is mitigated by disclosed JSON validation and backups, but it is still mutation authority over agent behavior.
One-click model switching — Pick any model from any provider and apply it instantly ... The active model selection is written to `openclaw.json`.
Confirm the selected provider/model after changes and keep the documented .bak backups if you need to revert configuration.