critical
suspicious.dangerous_exec
- Location
- scripts/free-model-cli.js:1
- Finding
- Shell command execution detected (child_process).
free-model-router-laodao
AdvisoryAudited by Static analysis on May 13, 2026.
Overview
Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.exposed_secret_literal
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
NoteHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
Installing and configuring the skill can redirect OpenClaw model requests through this local router.
Why it was flagged
The setup script writes a new model provider into OpenClaw configuration. This is expected for a model router and includes backup/rollback logic, but it changes how the agent sends model traffic.
Skill content
t.models.providers["free-model-router"]={baseUrl:o,api:"openai-completions",apiKey:r||"free-model-router",models:[{id:"model-router",name:"model-router"}]}Recommendation
Only run setup if you want OpenClaw model traffic routed this way, and keep the generated backups until you confirm the configuration works.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
Provider API keys you enter will be saved locally for the router to use.
Why it was flagged
The router stores user-supplied provider API keys in its local configuration. This is necessary for provider access, but it is sensitive credential handling.
Skill content
function setProviderApiKey(e,r){return update(o=>{if(!o.providers[e])throw new Error(`Provider "${e}" 不存在`);o.providers[e].apiKey=r})}Recommendation
Use provider keys you are comfortable storing locally, restrict file access on your machine, and delete the local router configuration if you no longer want the keys retained.
NoteHigh Confidence
ASI07: Insecure Inter-Agent CommunicationWhat this means
Your conversations may leave your machine and be processed by whichever external model provider the router selects.
Why it was flagged
The data-flow documentation clearly states that prompts and model responses are forwarded to external model providers.
Skill content
Layer 2: 本地 Router → 外部模型 Provider(OpenRouter、NVIDIA NIM 等)
(提示词和模型响应经过 Provider 服务器)Recommendation
Do not send sensitive content through providers you do not trust, and review each provider’s privacy terms before configuring its API key.
NoteHigh Confidence
ASI10: Rogue AgentsWhat this means
The router can continue running in the background until stopped.
Why it was flagged
The CLI starts the router as a detached background process. This is purpose-aligned for a local proxy, but it creates ongoing activity beyond a single command run.
Skill content
spawn(process.execPath,[r],{detached:!0,stdio:"ignore",env:{...process.env}}).unref();Recommendation
Use the documented stop or uninstall command when you no longer want the router running, and check for any scheduled tasks created during setup.
NoteHigh Confidence
ASI06: Memory and Context PoisoningWhat this means
You may see update or announcement messages controlled by the model-server.
Why it was flagged
Remote announcement content can be stored/displayed later through the event notification system. The artifact includes URL domain validation, but the announcement text itself is externally supplied.
Skill content
公告内容完全由 model-server 动态返回,不要写死数据。如果 `metadata.url` 存在,**在域名校验通过后**向用户展示该链接
Recommendation
Treat announcements as informational content, not instructions to change security settings or share secrets unless you independently verify them.
NoteHigh Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
It may be harder to audit updates or verify the publisher’s source history.
Why it was flagged
The registry metadata does not provide a source repository or homepage, which limits independent provenance review for a skill that handles model traffic and credentials.
Skill content
Source: unknown Homepage: none
Recommendation
Prefer installing only if you trust the publisher, and inspect the full source before relying on the privacy claims.
Findings (4)
critical
suspicious.env_credential_access
- Location
- scripts/free-model-cli.js:1
- Finding
- Environment variable access combined with network send.
critical
suspicious.exposed_secret_literal
- Location
- core/admin/public/login.html:87
- Finding
- File appears to expose a hardcoded API secret or token.
critical
suspicious.exposed_secret_literal
- Location
- core/admin/public/setup.html:61
- Finding
- File appears to expose a hardcoded API secret or token.