Back to skill
Skillv1.0.2
ClawScan security
OrderOpenRouter - Buy from any API and signup with your claw and creditcard · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 2:14 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions match its stated purpose (an OpenRouter gateway client) and only request a single OpenRouter API key.
- Guidance
- This skill appears coherent: it only needs your OpenRouter API key to act as a client to openrouter.ai. Before installing, confirm you’re using the official service (https://openrouter.ai), and treat the API key like a secret — limit its scope if possible, do not reuse it across other services, and monitor usage/billing for unexpected activity. If you plan to use BYOK (bring-your-own-provider keys) with OpenRouter, keep provider keys separate and be aware that routing may expose prompts to upstream providers per OpenRouter's policies. Autonomous agent invocation is allowed by default; if you do not want the agent to call this skill without prompting, restrict those settings in your agent configuration.
Review Dimensions
- Purpose & Capability
- okThe name/description state an OpenRouter gateway integration and the only required credential is OPENROUTER_API_KEY, which is exactly what an API gateway client would need.
- Instruction Scope
- okSKILL.md contains usage docs and examples (curl and SDK) that operate against openrouter.ai. It does not instruct the agent to read unrelated files, other environment variables, or send data to unexpected endpoints.
- Install Mechanism
- okNo install spec or code is present (instruction-only), so nothing is written to disk or downloaded during install.
- Credentials
- okOnly OPENROUTER_API_KEY is declared and used as the primary credential. No unrelated secrets or multiple credential requests are present.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request elevated or cross-skill configuration. Agent autonomous invocation remains enabled by default (normal for skills).