ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Perplexity Sonar via Openrouter in CLI

v1.0.0

Local OpenRouter Sonar web search CLI using the user's OpenRouter API key. Use when you want OpenRouter-backed web search or cited research from a local comm...

0· 24·0 current·0 all-time
byJames Keane@iamjameskeane
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The skill's name/description match the included README, SKILL.md, and the Bun CLI script: it implements a local 'sonar' CLI that calls OpenRouter endpoints and maps Perplexity Sonar models. The declared registry metadata, however, does not list the required OPENROUTER_API_KEY even though the SKILL.md and script require it — this metadata omission is inconsistent.
Instruction Scope
Runtime instructions and the CLI code are limited to building chat-completion requests to openrouter.ai, listing models, and optionally writing user-requested output files. The SKILL.md does not direct the agent to read unrelated files or other credentials. The only environment variables referenced are OPENROUTER_API_KEY (required) and a couple of optional OPENROUTER_* variables, which are appropriate for the described function.
Install Mechanism
There is no packaged install spec in the skill registry; README suggests cloning the GitHub repo and symlinking the TypeScript/Bun script into ~/.local/bin. This is a common lightweight install pattern; it requires the Bun runtime and running a script from an external repo, which is expected but does carry the normal trust/runtime risk of executing third-party scripts locally.
!
Credentials
The code legitimately requires a single API credential (OPENROUTER_API_KEY) and optionally a model/referrer/title env var. However, the registry metadata claims 'Required env vars: none' while SKILL.md and the script state OPENROUTER_API_KEY is required. This inconsistency could lead to accidental disclosure or misconfiguration and should be corrected before use.
Persistence & Privilege
The skill is not always-enabled, does not request system-wide configuration changes, and does not modify other skills. It runs on demand as a local CLI; no elevated or persistent privileges are requested.
What to consider before installing
This package appears to do what it says: a local CLI that calls openrouter.ai using your OPENROUTER_API_KEY. Before installing: (1) verify the repository/source you clone (the package has no homepage in the registry); (2) be aware the README instructs you to run a Bun script from the repository — inspect the script yourself before making it executable; (3) set OPENROUTER_API_KEY only if you trust the code, and consider using a limited-scope API key or a dedicated account; (4) note the registry metadata omitted the required env var — treat that as a red flag and prefer source verification; (5) run the tool in an isolated environment if you are unsure (container/VM) and review network traffic if you need to confirm it only talks to openrouter.ai.
scripts/openrouter-sonar.ts:19
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk974xm1ac8np47kvm4zjd0yqfd858dr6
24downloads
0stars
1versions
Updated 9h ago
v1.0.0
MIT-0
James Keane@iamjameskeane
latest
Download

OpenRouter Sonar

This skill provides a local sonar CLI backed by OpenRouter Sonar models with web search enabled.

Commands

Search

sonar "latest OpenRouter Sonar features"
sonar "best document AI underwriting startups" --model sonar-pro
sonar "credit underwriting agents" --model sonar-reasoning-pro
sonar "latest underwriting automation startups" --format md --output notes.md
sonar "OpenRouter Sonar pricing" --format json --output sonar.json

Default model:

  • sonar

Supported short model names:

  • sonar
  • sonar-pro
  • sonar-pro-search
  • sonar-reasoning
  • sonar-reasoning-pro
  • sonar-deep-research

These map internally to:

  • perplexity/sonar
  • perplexity/sonar-pro
  • perplexity/sonar-pro-search
  • perplexity/sonar-reasoning
  • perplexity/sonar-reasoning-pro
  • perplexity/sonar-deep-research

Models

sonar models

Shortcuts

sonar pro "latest OpenRouter Sonar features"
sonar pro-search "best cited search workflow for agents"
sonar deep "compare OpenRouter Sonar vs Tavily for research"
sonar reason "reason through the strongest arguments for and against RAG here"
sonar reason-pro "compare three underwriting architectures and justify the best one"

Research

sonar research "Compare Tavily, Exa, and Sonar for cited research workflows"
sonar research "Latest UK AI policy changes" --format md --output policy.md

Default model for research:

  • sonar-deep-research

Output

Use --output to write to a file and --format to choose the file type.

Supported formats:

  • text
  • txt
  • md
  • json

Environment

Required:

  • OPENROUTER_API_KEY

Optional:

  • OPENROUTER_SONAR_MODEL using short form, for example sonar or sonar-pro
  • OPENROUTER_REFERER
  • OPENROUTER_TITLE

Notes

  • This is intentionally local, not MCP.
  • It uses OpenRouter chat completions with web search enabled.
  • Short model names are preferred, but full perplexity/... names still work.

Comments

Loading comments...