ClawHub
Back to skill

Security audit

ModelPool (Free)

Security checks across malware telemetry and agentic risk

Overview

This looks like a real OpenClaw model manager, but it needs review because it stores API keys locally and can automatically rewrite config, test endpoints, clean state, and restart OpenClaw.

Install only if you can verify that the package or repository you run matches this reviewed artifact. Use revocable OpenRouter keys, assume they may be stored locally in plaintext under ~/.openclaw and in OpenClaw config/backups, review provider base URLs before repair, and run repair only when config changes, session cleanup, log cleanup, and an OpenClaw restart are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (15)

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
The status command performs host-level socket/process inspection using 'ss -tlnp', which exceeds the minimum scope needed for a model-management utility. On many systems this can expose process names, listening ports, and service topology, increasing local information disclosure and normalizing unnecessary host introspection in a user-facing skill.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README promotes a one-click repair flow that performs diagnostics, config fixes, session cleanup, resource cleanup, and service restarts, but it does not prominently warn users that these steps will modify local configuration and affect running services. In an agent-skill context, users may treat the command as low risk troubleshooting, increasing the chance of unintended system changes, disruption, or loss of local state.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README instructs users to enter and save multiple OpenRouter API keys but gives no security guidance on how those credentials are stored, masked, or protected. In a tool centered on multi-key rotation, this omission materially increases the risk of credential leakage through plaintext config files, logs, screenshots, shell history, or overly broad file permissions.

Vague Triggers

Medium
Confidence
75% confidence
Finding
The marketing language promises broad, automatic behavior like 'one command' setup and 'unlimited free AI' without clearly defining operational scope, side effects, or limits. In a security-sensitive skill, vague activation language increases the chance that users invoke powerful actions without understanding that keys, configs, network calls, and system state may be modified.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The setup and refresh descriptions instruct users to enter API keys and rely on external model discovery, but do not clearly warn that secrets will be handled and remote APIs contacted. This omission can lead users to disclose credentials without understanding storage, transmission, retention, or privacy implications.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Describing repair as a 'one-click fix' that automatically diagnoses and repairs issues understates that it may alter configuration, clean sessions, and restart components. Users may trigger disruptive changes to a live environment without realizing the command can interrupt service or modify local state.

Missing User Warnings

High
Confidence
95% confidence
Finding
The documented auto-fix workflow includes cleanup, memory/log cleanup, and full restart actions, all of which can disrupt running workloads, remove forensic data, or change application behavior. Without advance warning, review, or confirmation, these operations can cause availability loss and make incident investigation harder.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide tells users to copy and paste a live API key and even shows the key format, but it does not clearly warn that the key is a secret that must not be exposed in terminals, screenshots, shell history, shared sessions, or logs. In this skill context, the risk is elevated because the document is specifically onboarding users to configure real credentials for an external service, making accidental credential leakage plausible during setup.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
API keys are stored in a plaintext JSON file under the user's home directory with no permission hardening or warning. If local file permissions are weak, backups are synced, or another local process/user can read the file, the credentials can be stolen and abused against the user's OpenRouter account.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script silently rewrites the main OpenClaw configuration and creates only a local backup, without explicit confirmation that existing settings may be altered. In a config-management tool this can cause unintended reconfiguration, break existing providers, or redirect model usage in ways the user did not intend.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The tool automatically restarts the OpenClaw daemon after changing configuration, without prior confirmation in non-interactive flows. This can interrupt active workloads or apply unexpected configuration changes immediately, which is risky in an agent-management environment.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The validation routine transmits supplied API keys to the remote OpenRouter service without an explicit privacy notice or consent step. Although contacting the provider is necessary to validate a key, users should be clearly told that their credential will be sent over the network and used to query the models endpoint.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The repair script automatically sends configured API keys and a live test request to every provider endpoint it finds in the user's config, without an explicit warning or consent gate at execution time. Because provider base URLs come from local configuration, this can disclose credentials and metadata to unexpected or attacker-controlled endpoints if the config has been tampered with or includes untrusted providers.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script rewrites the user's OpenClaw configuration file automatically and later changes model routing state as part of repair, without requiring explicit confirmation at the point of modification. Even though it creates a backup, silent config mutation can cause denial of service, misrouting, or persistence of attacker-influenced settings if the existing config is malicious or malformed.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script performs state-changing repair actions such as doctor --fix, session cleanup, and daemon restart automatically, without a clear advance warning or consent step. In an agent skill context this is more dangerous because execution may be delegated or triggered with limited user review, causing service interruption or unintended system changes.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal