v1.0.0

Model Failover Doctor

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:31 AM.

Analysis

This tool is aimed at a real OpenClaw repair task, but its automatic repair mode can rewrite model-routing files and default invalid routes to a hard-coded provider, so it deserves review before use.

GuidanceBefore installing or using auto-repair, run the diagnosis and --dry-run modes first. Check any proposed pools.json provider replacements, especially changes to custom-llmapi-lovbrowser-com, and only then use --fix or --restart if the changes match your intended OpenClaw provider setup.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

model_failover_doctor.py

lb = 'custom-llmapi-lovbrowser-com' ... if new_val is None: new_val = f'{lb}/{model_path}' ... pools[pool_name][field] = new_val

The P-1 auto-fix rewrites pools.json entries and can fall back to a specific hard-coded provider rather than only selecting from the discovered valid provider set.

User impactRunning --fix could change which model provider future OpenClaw traffic uses, potentially to a provider the user did not intend.

RecommendationRun --dry-run first and only accept provider replacements that are valid and intended for your OpenClaw setup.

Cascading Failures

SeverityLowConfidenceHighStatusNote

README.md

修复范围明确，只触碰与 failover 相关的三个文件：message-injector/index.ts, .lib/pools.json, .lib/session_model_state.json

The documented repair scope spans runtime extension code, model pools, and session model state, so a bad repair can affect multiple sessions or the gateway rather than only the current request.

User impactA mistaken repair may change model fallback behavior across the local OpenClaw environment.

RecommendationUse the dry-run output and backups; avoid --fix --restart until the proposed file changes are reviewed.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceHighStatusNote

metadata

Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.

The package does not provide external provenance or an install specification, while the included script is intended to modify local OpenClaw configuration.

User impactUsers have less provenance information for a tool that can alter important local agent routing files.

RecommendationReview the included Python script and prefer dry-run mode before trusting the package to repair files automatically.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

model_failover_doctor.py

const globalDeadModels = new Map<string, number>(); ... const DEAD_MODEL_TTL = 2 * 60 * 60 * 1000; // 2h ... globalDeadModels.set(state.model, Date.now());

The tool does not auto-fix MI-2, but it recommends adding cross-session dead-model memory that would let one session's model failure influence later routing decisions.

User impactIf manually applied, a false dead-model marking could suppress a model for other sessions for up to two hours.

RecommendationTreat the MI-2 recommendation as a design change; review the TTL and error-matching logic before adding it to a shared gateway.