Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Model Benchmark
v0.1.0深度测评各模型在 OpenClaw 上的实际表现,支持中文理解/代码/推理/工具调用多维度评估。
⭐ 0· 69·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name, description, and SKILL.md consistently describe a model benchmarking framework and include sensible test cases and report format. The SKILL.md also legitimately references adding providers to OpenClaw's models.json and using provider API keys for GLM-5, Qwen, etc., which is expected for a benchmarking skill that talks to external models.
Instruction Scope
The instructions stay within benchmarking scope (test items, scoring, report format). They reference specific operational items: editing OpenClaw models.json to add providers, using a local proxy at 127.0.0.1:8766, and acquiring provider API keys. They do not instruct the agent to read unrelated system files or exfiltrate data, but they do not specify safe handling or storage of credentials.
Install Mechanism
No install spec and no code files are provided (instruction-only), so nothing will be written to disk or installed by the skill itself. This is the lowest-risk install model.
Credentials
The SKILL.md explicitly lists provider API Key needs (GLM-5, Qwen, etc.) but the skill metadata declares no required environment variables or primary credential. That mismatch means the skill may expect the user/agent to supply secrets via models.json or prompts at runtime; the skill gives no guidance on where keys are stored, what permissions are needed, or whether keys will be transmitted to other endpoints. Requiring multiple external API keys is proportionate to benchmarking, but the lack of declared/env guidance and storage instructions is a privacy/operational concern.
Persistence & Privilege
The skill is not always-included and does not request system-level persistence. It does mention editing OpenClaw configuration (models.json) which is a normal and limited config change for integrating providers; there is no indication it modifies other skills or system-wide settings beyond provider config advice.
What to consider before installing
This skill appears to be a legitimate benchmarking instruction set, but it refers to obtaining and using multiple external provider API keys without declaring them in the metadata or describing how to provide or store them. Before installing or using it: (1) Confirm how you'll supply provider keys — prefer ephemeral or least-privilege keys and avoid pasting long-lived secrets into third-party UIs. (2) Understand where keys will be stored (models.json) and check file permissions; back up the original config. (3) Verify the local proxy address (127.0.0.1:8766) is expected in your environment and not a misdirection to an unfamiliar service. (4) If the agent will be given keys, ensure the agent's prompts/storage behavior is acceptable (won't exfiltrate them). If you need complete assurance, request the skill author to declare required env vars and document exactly how credentials are used and persisted.Like a lobster shell, security has layers — review code before you run it.
latestvk971ecfjmqq50g8m7jkg9yxbfx83dv1k
License
MIT-0
Free to use, modify, and redistribute. No attribution required.