Back to skill

Security audit

ClawAPI

Security checks across malware telemetry and agentic risk

Overview

ClawAPI’s purpose is coherent, but its install metadata runs an unpinned remote GitHub script while the installed app is meant to manage API keys and OpenClaw configuration.

Prefer the manual GitHub Releases download over the curl-to-bash installer. Install only if you trust the publisher, review the installer first, and use revocable provider API keys because the app intentionally stores keys and writes a usable copy into OpenClaw configuration.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

External Script Fetching

Low
Category
Supply Chain
Content
description: Switch AI models and manage API keys for OpenClaw with a native macOS app. Supports 16 providers including OpenAI, Anthropic, xAI, Google, Groq, Ollama, LM Studio, and more.
homepage: https://github.com/Gogo6969/clawapi
user-invocable: true
metadata: {"openclaw":{"emoji":"🔑","requires":{"bins":["curl"],"config":["skills.entries.clawapi"]},"install":[{"kind":"script","command":"curl -fsSL https://raw.githubusercontent.com/Gogo6969/clawapi/main/install.sh | bash"}]}}
---

# ClawAPI — Model Switcher & Key Vault for OpenClaw
Confidence
98% confidence
Finding
curl -fsSL https://raw.githubusercontent.com/Gogo6969/clawapi/main/install.sh | bash

External Script Fetching

Low
Category
Supply Chain
Content
### Option 2: Install script

```bash
curl -fsSL https://raw.githubusercontent.com/Gogo6969/clawapi/main/install.sh | bash
```

The install script downloads the same signed `.zip` from GitHub Releases, verifies the SHA-256 checksum, unzips it, and moves the app to `/Applications`. You can [review the script source](https://github.com/Gogo6969/clawapi/blob/main/install.sh) before running it.
Confidence
96% confidence
Finding
curl -fsSL https://raw.githubusercontent.com/Gogo6969/clawapi/main/install.sh | bash

Chaining Abuse

High
Category
Tool Misuse
Content
### Option 2: Install script

```bash
curl -fsSL https://raw.githubusercontent.com/Gogo6969/clawapi/main/install.sh | bash
```

The install script downloads the same signed `.zip` from GitHub Releases, verifies the SHA-256 checksum, unzips it, and moves the app to `/Applications`. You can [review the script source](https://github.com/Gogo6969/clawapi/blob/main/install.sh) before running it.
Confidence
97% confidence
Finding
| bash

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal