OpenClaw Model Provider
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only skill is coherent for setting up model providers, but users should handle API keys and default model routing carefully.
This skill appears safe and purpose-aligned for adding OpenClaw model providers. Before installing or using it, be ready to review changes to ~/.openclaw/openclaw.json, keep the backup, use environment variables for API keys when possible, and only set a trusted provider as your default model.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an API key is pasted into chat, stored insecurely, or displayed during troubleshooting, someone with access to it could use the provider account or incur charges.
The skill asks for provider API credentials and advises how to store them. This is expected for adding a model provider, and the artifact recommends environment variables rather than hardcoding.
询问用户提供:... **API 密钥** ... 推荐将 API Key 放在环境变量中,而非硬编码到配置文件
Use a least-privilege provider key, prefer environment variables or a secret manager, avoid sharing real keys unnecessarily, and rotate any key that may have been exposed.
A wrong provider URL, model ID, or default model setting could cause OpenClaw to fail or use an unintended model provider later.
The skill guides the user to edit a persistent OpenClaw configuration file. This is purpose-aligned and includes a backup step, but it can affect future agent behavior.
指导用户将配置合并到 `~/.openclaw/openclaw.json` ... `cp ~/.openclaw/openclaw.json ~/.openclaw/openclaw.json.bak` ... `openclaw config edit`
Keep the backup, review the JSON diff before saving, validate the configuration, and confirm the provider/model name before making it the default.
Prompts, files, or other context sent to the default model may be processed by the configured third-party or local endpoint.
The configuration can set an external model-provider endpoint as OpenClaw’s default model. This is the skill’s stated purpose, but it means future model requests may go to the selected provider.
`baseUrl`: `https://api.xxx.com/v1` ... `agents.defaults.model.primary`: `提供商名称/模型ID`
Only configure providers you trust, check the endpoint URL carefully, and review the provider’s privacy and retention policy before sending sensitive data.