Skillv4.0.0

ClawScan security

Model Router Hook · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 3, 2026, 6:01 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions match its stated purpose (model routing, cost control, and local learning); it persists user/session data locally and invokes a local OpenClaw CLI/module if available, which are the main privacy/operational concerns.
Guidance: This skill appears to do what it claims: automatic model routing, cost tracking, and learning user preferences. Before installing, consider: 1) It stores user/session data and cost logs on disk at ~/.openclaw/workspace/memory/model-router/ — if that data would be sensitive in your environment, avoid or restrict it. 2) It may call a local OpenClaw CLI or import openclaw.tools to effect model switches; ensure you trust the local openclaw installation. 3) The code uses subprocess.run (only to call the OpenClaw CLI as provided), so verify there are no additional unexpected subprocess/network calls in the parts of the code not shown. If you need higher assurance, request a full review of the untruncated scripts/model_router.py to confirm there are no hidden network endpoints, telemetry, or arbitrary command execution paths.

Review Dimensions

Purpose & Capability: okThe name/description (model routing, cost control, user-preference learning) align with the code and SKILL.md. Declared storage paths, budget logic, intent signals, and OpenClaw integration are coherent with the stated functionality.
Instruction Scope: noteSKILL.md and code limit actions to routing decisions, local persistence (user/profile/session/cost records), cost estimation, and optionally calling OpenClaw to effect a model switch. The skill persistently stores user profiles and session memory under ~/.openclaw/workspace/memory/model-router/, which is expected for its cross-session learning feature but is a privacy consideration (it will retain user content and derived profiles).
Install Mechanism: okNo install spec — code files are included and executed by the agent environment. No external downloads or unusual installers are used.
Credentials: okThe skill does not request credentials or environment variables. It writes/reads local files under the user's home directory (as described in SKILL.md). It sets a local environment flag (_OPENCLAW_MODEL_OVERRIDE) as an integration fallback; this is reasonable for inter-process signaling but should be noted.
Persistence & Privilege: notealways=false and the skill is user-invocable (normal). The skill creates and updates persistent files (profiles, session memory, cost logs) across sessions. This persistent storage and cross-session learning are consistent with the feature set but increase privacy risk and attack surface (local files containing user data).