Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Key Swap
v1.0.0Rotate Claude Max API token for OpenClaw Anthropic profiles. Use when the user says "swap key", "rotate key", "new key", "keyswap", or provides a new `sk-ant...
⭐ 0· 320·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name and description match the actual behavior: the script updates the Anthropic profile tokens in the OpenClaw auth file. No unrelated credentials or services are requested. The skill assumes OpenClaw stores profiles at $HOME/.openclaw/agents/main/agent/auth-profiles.json and will update two profiles; this is coherent with 'rotate key' functionality. Note: the SKILL.md references an absolute install path (/opt/homebrew/...) which assumes a specific installation layout (macOS/Homebrew/npm global), but that is an implementation detail rather than a mismatch of purpose.
Instruction Scope
Instructions are narrowly scoped: ask user for a token (must start with sk-ant-), run the included script, and report results. The script reads and overwrites the local auth-profiles.json, resets usageStats for the specified profiles, and restarts the OpenClaw gateway. This stays within the stated purpose, but the instructions do not mention prerequisites (jq, correct file path, permissions) or error-recovery (backup of auth file). Also the script resets usageStats and deletes failureCounts — this is functional but could remove historical failure data, which users may want to be aware of.
Install Mechanism
No install spec is present (instruction-only plus bundled script), so nothing is downloaded or installed by the skill. The script is bundled in the package. The SKILL.md directs running the script from a fixed /opt/homebrew/... path; if the user's installation location differs the provided command may fail. No external downloads or obscure URLs are used.
Credentials
The skill requests no environment variables and no external credentials. It does modify the local OpenClaw auth file (which contains API tokens) — that is exactly what key rotation requires. There is no attempt to transmit tokens externally. Users should note the script runs as the invoking user and will overwrite the auth-profiles.json in that user's home directory.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It modifies OpenClaw's own auth file and restarts the OpenClaw gateway (via launchctl), which is appropriate for rotating an active key. The script does not alter other skills' configs or system-wide settings beyond restarting the gateway for the current user. Note: restart uses macOS-specific launchctl invocation and may fail or be inappropriate on non-macOS systems.
Assessment
This skill appears to be what it claims: it asks the user for a new sk-ant- token, updates your OpenClaw Anthropic profiles file, and restarts the gateway. Before running it, ensure: 1) you trust the token you will provide, 2) you have a backup of $HOME/.openclaw/agents/main/agent/auth-profiles.json (the script overwrites it), 3) jq is installed and the OpenClaw CLI/LaunchAgent exist on your system (the SKILL.md assumes a macOS/Homebrew path and uses launchctl), and 4) you are comfortable that usageStats and failureCounts for those profiles will be reset (the script clears historic failure data). If your OpenClaw installation path differs, run the bundled script from its actual location or copy it into place rather than blindly running the exact /opt/homebrew/... command.Like a lobster shell, security has layers — review code before you run it.
latestvk975kx8nvzb5zet6t99zy2p2r58250tn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.