Clawd Throttle
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its LLM-routing purpose, but it deserves Review because its optional HTTP proxy appears to accept unauthenticated client requests while using your provider API keys.
This skill appears to be a legitimate LLM cost-routing proxy, not malware. Before installing, decide whether you are comfortable sending prompts to multiple external LLM providers, use limited API keys, and be especially careful with HTTP proxy mode: keep it local, firewall it, and do not expose it without authentication.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Someone or something that can reach the proxy may be able to send LLM requests through your accounts, causing cost and sending prompt data to providers.
The proxy is designed to use the user's configured provider API keys, while client examples show no meaningful authentication to the proxy itself. If HTTP mode is enabled and reachable, another local or network client could route prompts and spend API credits.
export ANTHROPIC_API_KEY=sk-... ... base_url="http://localhost:8484/v1", api_key="unused"
Only enable HTTP mode when needed, bind/firewall it to localhost, and prefer a proxy authentication token or other access control before exposing it to other processes or networks.
Installing or using the skill may let the agent make requests that consume your LLM provider credits.
The skill expects provider credentials so it can route requests to external LLM APIs. This is purpose-aligned, but those keys authorize paid account activity.
"requires":{"bins":["node"],"env":["ANTHROPIC_API_KEY","GOOGLE_AI_API_KEY"],"optionalEnv":["XAI_API_KEY","OPENAI_API_KEY","DEEPSEEK_API_KEY","MOONSHOT_API_KEY","MISTRAL_API_KEY"]}Use restricted or budget-limited API keys where possible, monitor provider usage, and avoid sharing broad production keys.
Local log files may expose when and how you used different models, even if the prompt text is not stored.
The skill persists routing metadata in local JSONL logs. It does not store raw prompt content in the shown log type, but hashes, timestamps, model choices, token counts, and costs can still reveal usage patterns.
promptHash: string; ... selectedModel: string; provider: ApiProvider; ... inputTokens: number; outputTokens: number; estimatedCostUsd: number; parentRequestId?: string;
Keep the config/log directory private, rotate or delete logs when no longer needed, and avoid placing logs in synced or shared folders unless intended.
Setup may fail or behave differently across platforms, and users cannot review the referenced Windows setup script from the supplied artifacts.
The package references a Windows setup script that is not present in the supplied file manifest, while the Unix setup script is present. This is an install/provenance mismatch rather than evidence of malicious behavior.
"setup": "powershell -ExecutionPolicy Bypass -File scripts/setup.ps1", "setup:unix": "bash scripts/setup.sh"
Verify the repository contents before running setup, prefer the reviewed Unix script or manual configuration when appropriate, and ensure missing install files are supplied by the publisher.
A user may underestimate that prompt content is transmitted to third-party model providers.
The skill discloses external API proxying, but the privacy wording could be misread as meaning prompt data never leaves the machine. In normal operation, prompts are sent to the selected LLM provider.
The request is proxied to the correct API ... All data stays local in ~/.config/clawd-throttle/
Treat routed prompts as shared with the selected provider, and avoid sending confidential content unless the provider and account terms are acceptable.