ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

KimiClaw Bridge

v1.0.0

KimiClaw Bridge: Connect OpenClaw to Kimi K2.5 — the free, Anthropic-compatible coding model. One config change to run Claude Code, spawn coding agents, or c...

0· 65·0 current·0 all-time
by@jack-yang-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose (bridge OpenClaw to Kimi K2.5) matches the instructions (OpenClaw config snippets, curl/Python examples, and spawn examples). However, the registry metadata declares no required environment variables or credentials while the SKILL.md repeatedly instructs the user/agent to supply an API key (e.g., ANTHROPIC_API_KEY / x-api-key / apiKey in openclaw.json). That mismatch is likely an oversight but is an inconsistency between declared requirements and runtime instructions.
Instruction Scope
SKILL.md stays on-topic: it shows how to configure openclaw.json, set ANTHROPIC_BASE_URL/ANTHROPIC_API_KEY, call the Kimi coding endpoint, and spawn agents with those env vars. It does not ask the agent to read unrelated host files, system secrets, or exfiltrate data to unexpected endpoints. Note: it suggests placing API keys in openclaw.json (a config file) which has security implications for secret storage.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — lowest risk for supply-chain installs. Nothing is downloaded or written by the skill itself according to the provided data.
Credentials
The only secret implied by the instructions is an API key for Kimi (sk-kimi-...). That is proportionate to the stated purpose. However, the skill metadata lists no required env vars while the instructions require ANTHROPIC_API_KEY/ANTHROPIC_BASE_URL and show storing apiKey in openclaw.json — the metadata omission reduces transparency about what credentials will be needed and where they might be stored.
Persistence & Privilege
always:false and no install steps mean the skill does not request permanent presence or elevated platform privileges. It does not modify other skills' configs per the provided instructions.
What to consider before installing
This skill's instructions look coherent for connecting OpenClaw to a Kimi coding API, but note the registry metadata did not declare any required environment variables while the SKILL.md expects you to supply an API key (ANTHROPIC_API_KEY / x-api-key) and/or put the key into openclaw.json. Before installing or using it: 1) Verify the Kimi domain (https://api.kimi.com) and the provider's trustworthiness. 2) Avoid committing API keys into repo-tracked openclaw.json; prefer environment variables or secrets storage and restrict key scopes/quotas. 3) Test with a low-privilege or rate-limited key first. 4) If you rely on the registry metadata for automated permission reviews, update the skill metadata to declare the required env vars/credentials so automated checks can surface this dependency. If you want me to, I can suggest a safer configuration example that keeps the API key out of committed config files.

Like a lobster shell, security has layers — review code before you run it.

latestvk9722x4rqdj1r2m8snre1td61h83g8mp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments