ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenRouter Paid Fallback

v1.0.0

Set OpenClaw to use a paid OpenRouter model first and fall back to free models when quota is exhausted or rate-limited. Use when the user wants a paid OpenRo...

1· 73·0 current·0 all-time
byCeasr Hu@h452624729
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose (prefer paid OpenRouter model with free fallbacks) matches the steps to edit model-routing keys, but the SKILL.md explicitly says to "Keep the OpenRouter API key present in config" while the registry metadata lists no required environment variables or primary credential. That mismatch is unexplained.
Instruction Scope
Instructions are limited to editing model-routing keys, preserving unrelated config, restarting the gateway, and validating status. They do not ask the agent to read unrelated files or exfiltrate data beyond the OpenRouter API key mentioned.
Install Mechanism
This is an instruction-only skill with no install spec or code to write to disk, which is appropriate and low-risk for a configuration change task.
!
Credentials
The runtime instructions require an OpenRouter API key to be present in configuration, but the skill manifest does not declare any required environment variables or primary credential. The skill should explicitly declare which secret (e.g., OPENROUTER_API_KEY) it needs and why; absence of that declaration is a proportionality/information gap.
Persistence & Privilege
The skill does not request always:true and is user-invocable only. Its scope is limited to editing model-routing keys in agent config; no indication it attempts to modify other skills or system-wide settings beyond restarting the gateway.
What to consider before installing
This skill appears to do only model-routing edits, which is reasonable, but it mentions keeping an OpenRouter API key while the manifest doesn't declare any required credentials. Before installing: (1) confirm which secret the skill needs (e.g., OPENROUTER_API_KEY) and where it will be stored; (2) ensure the key is stored in a secure agent secret store rather than hard-coded into config files; (3) back up your agent/gateway config before applying changes; (4) run the changes in a non-production environment first and verify the skill edits only the model-routing keys it promises. If the publisher cannot clarify the missing credential declaration, treat the omission as suspicious and avoid installing until resolved.

Like a lobster shell, security has layers — review code before you run it.

latestvk973knfxgvnvxqpcd59f42ydrs83x9c4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments