Mixture of Agents
v1.2.0Mixture of Agents: Make 3 frontier models argue, then synthesize their best insights into one superior answer. ~$0.03/query.
⭐ 0· 614·1 current·1 all-time
byJohn Scianna@jscianna
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill's stated purpose (mixing multiple LLMs and synthesizing their outputs) matches the code and instructions. However, registry metadata at the top of the provided package summary lists no required environment variables, while both SKILL.md and manifest.json require OPENROUTER_API_KEY — an inconsistency that should be corrected but is not evidence of malicious behavior.
Instruction Scope
SKILL.md and the code instruct the agent to call OpenRouter's chat completions API with the user's prompt, aggregate model responses, and synthesize them. The instructions do not ask for unrelated files or credentials. One minor operational note: scripts/moa-paid.js contains a hard-coded example prompt and calls runMoA(prompt) immediately (it runs when executed), which is a benign demo but may be surprising if someone runs that file expecting only a library. The scripts also print prompt snippets and model responses to stdout (logging), which may expose sensitive prompts/responses in logs.
Install Mechanism
There is no install spec (instruction-only skill with Node.js files). No remote downloads or archive extraction are used. The package relies on axios (a normal dependency) and runtime Node >=18 as declared in manifest.json.
Credentials
The only required secret is OPENROUTER_API_KEY, which is appropriate for a skill that calls OpenRouter. The earlier top-level summary incorrectly claimed 'no required env vars', which conflicts with the manifest/SKILL.md — the environment requirement itself is proportionate, but the metadata mismatch should be fixed.
Persistence & Privilege
The skill does not request always: true and does not modify other skills or global agent configuration. It behaves as a normal user-invocable skill that makes outbound API calls; autonomous invocation is allowed by default but not unusually privileged here.
Assessment
This skill is coherent and appears to be what it claims: it needs an OpenRouter API key and will send your prompts (and the model responses) to openrouter.ai. Before installing, (1) confirm you are comfortable sending query text and any sensitive context to OpenRouter, (2) set OPENROUTER_API_KEY only with a key scoped/rotatable for this use, (3) inspect scripts/moa-paid.js (it contains a hard-coded demo prompt and runs immediately if executed), and (4) avoid using this skill with secrets or highly sensitive data because prompts and responses are logged to stdout and sent to external models. Also correct or be aware of the metadata mismatch (some metadata claims no env vars while the manifest and SKILL.md require OPENROUTER_API_KEY). If you need stronger assurance, ask the author for a canonical repository URL and a checksumed release, and test the code in an isolated environment first.Like a lobster shell, security has layers — review code before you run it.
latestvk97a1khz5gjhdd0jg4f2efyxfh81k2dt
License
MIT-0
Free to use, modify, and redistribute. No attribution required.