free-model-router-laodao
PassAudited by ClawScan on May 13, 2026.
Overview
This skill is coherent for a local free-model router, but it will run a persistent local proxy, store provider API keys, modify OpenClaw model routing, and contact external provider/control servers.
Install this only if you want OpenClaw traffic routed through a persistent local service and external free-model providers. Review the providers you configure, protect or remove the local API-key configuration when no longer needed, and use the stop/uninstall plus cron cleanup steps if you disable it.
Publisher note
free-model-router-v1 对用户的核心价值是可扩展的免费模型,因此需要构建本地回环的代理地址,用户的提示词与指令不经过本free-model-router的服务端,而是在本地代理层直接转发至终端可信的provider,比如openrouter、modescope、nivida等。 免费渠道的模型频繁变动,必须由服务端动态维护,用户才能正常使用。 用户还从服务端获取公告,用于版本更新等重要事情的提醒,这是为了保障用户的核心功能体验。
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing and configuring the skill can redirect OpenClaw model requests through this local router.
The setup script writes a new model provider into OpenClaw configuration. This is expected for a model router and includes backup/rollback logic, but it changes how the agent sends model traffic.
t.models.providers["free-model-router"]={baseUrl:o,api:"openai-completions",apiKey:r||"free-model-router",models:[{id:"model-router",name:"model-router"}]}Only run setup if you want OpenClaw model traffic routed this way, and keep the generated backups until you confirm the configuration works.
Provider API keys you enter will be saved locally for the router to use.
The router stores user-supplied provider API keys in its local configuration. This is necessary for provider access, but it is sensitive credential handling.
function setProviderApiKey(e,r){return update(o=>{if(!o.providers[e])throw new Error(`Provider "${e}" 不存在`);o.providers[e].apiKey=r})}Use provider keys you are comfortable storing locally, restrict file access on your machine, and delete the local router configuration if you no longer want the keys retained.
Your conversations may leave your machine and be processed by whichever external model provider the router selects.
The data-flow documentation clearly states that prompts and model responses are forwarded to external model providers.
Layer 2: 本地 Router → 外部模型 Provider(OpenRouter、NVIDIA NIM 等)
(提示词和模型响应经过 Provider 服务器)Do not send sensitive content through providers you do not trust, and review each provider’s privacy terms before configuring its API key.
The router can continue running in the background until stopped.
The CLI starts the router as a detached background process. This is purpose-aligned for a local proxy, but it creates ongoing activity beyond a single command run.
spawn(process.execPath,[r],{detached:!0,stdio:"ignore",env:{...process.env}}).unref();Use the documented stop or uninstall command when you no longer want the router running, and check for any scheduled tasks created during setup.
You may see update or announcement messages controlled by the model-server.
Remote announcement content can be stored/displayed later through the event notification system. The artifact includes URL domain validation, but the announcement text itself is externally supplied.
公告内容完全由 model-server 动态返回,不要写死数据。如果 `metadata.url` 存在,**在域名校验通过后**向用户展示该链接
Treat announcements as informational content, not instructions to change security settings or share secrets unless you independently verify them.
It may be harder to audit updates or verify the publisher’s source history.
The registry metadata does not provide a source repository or homepage, which limits independent provenance review for a skill that handles model traffic and credentials.
Source: unknown Homepage: none
Prefer installing only if you trust the publisher, and inspect the full source before relying on the privacy claims.