ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Spectyra – Save on OpenClaw & LLM costs

v1.0.1

Pay less for LLM and OpenClaw runs via Spectyra Local Companion. Covers every OpenClaw scenario that uses a spectyra/* model: interactive chat, local agents,...

0· 20·0 current·0 all-time
by@immrlucky
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (route spectyra/* to a local companion for token optimization) aligns with the included artifacts: a config fragment that points OpenClaw to http://localhost:4111/v1, SKILL.md that documents the companion, and an npm install that provides the companion binary. Requiring 'spectyra-companion' and adding model aliases is coherent.
Instruction Scope
SKILL.md and README instruct the agent/user to install an npm companion and run an interactive setup which prompts for account sign-in/up and the LLM provider key. The provided setup.sh implements interactive Supabase-based signup/login and writes ~/.spectyra/desktop/config.json. The script appears to only call spectyra/supabase endpoints for account & license provisioning, but the truncated portion (AI provider key handling) is not visible — so it's unclear whether the provider API key is only stored locally or also transmitted to the vendor.
Install Mechanism
Install uses a named npm package (@spectyra/local-companion) which creates the spectyra-companion binary. This is a typical mechanism for delivering a local helper; it's moderate risk but expected for this use case. No direct arbitrary downloads or obscure hosts are used in the install spec.
Credentials
The skill declares no required env vars and only needs a local binary and account credentials to operate, which is reasonable. The setup prompts for email/password and (per README) an LLM provider API key; those secrets are persisted to ~/.spectyra/desktop/config.json via persist_spectyra_desktop_config.py. Persisting provider keys locally is expected for a local proxy, but you should verify what the companion sends to Spectyra cloud during/after setup — current files show Supabase auth and calls to Spectyra API for account/license, but the truncated portion prevents a definitive determination about whether the provider key is transmitted upstream.
Persistence & Privilege
The skill merges a config fragment into OpenClaw to add spectyra models and runs a post-install setup.sh that writes to ~/.spectyra. It does not request always:true and does not change other skills. Modifying the user's OpenClaw config and creating files in the home directory is expected for this integration but is persistent and will affect subsequent model resolution across agent/cron/skill runs.
What to consider before installing
This skill appears to do what it claims: install a local proxy and point OpenClaw at http://localhost:4111. However, before you install or run setup.sh, do the following: 1) Review the full setup.sh (the provided view is truncated) and confirm whether your LLM provider API key is ever POSTed to spectyra.ai or any other remote endpoint; 2) Inspect the npm package @spectyra/local-companion (source on GitHub/NPM) to verify its behaviour and network calls; 3) After setup, open and inspect ~/.spectyra/desktop/config.json to see which secrets were written and ensure file permissions are restrictive; 4) If you prefer minimal risk, run the installation and companion in an isolated environment (VM/container) until you are comfortable; 5) If you rely on strict key custody, do not provide your LLM provider key until you confirm (from the companion source or vendor docs) that the key never leaves your machine. Because part of the installer is not visible here, I cannot rule out secret transmission — proceed only after the checks above or with reduced privileges.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dy1aky1a1xc7bbwhzr6hxx184mwt1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Clawdis
Binsspectyra-companion

Install

Install Spectyra Local Companion (npm)
Bins: spectyra-companion
npm i -g @spectyra/local-companion

Comments