Model Advisor
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This coherent helper recommends models and scores OpenClaw security, but it does read recent local chat history and OpenClaw configuration.
Before installing, be comfortable with a local helper reading recent OpenClaw chat history and OpenClaw configuration. If you only want a recommendation for a described task, use the recommend mode instead of history-based auto mode, and verify the Node command points to the actual installed script.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The helper can inspect recent local OpenClaw conversations to infer what type of work you do, although the shown logic uses them for keyword counts rather than raw sharing.
Auto history analysis reads persisted OpenClaw session files and extracts user message text. This is disclosed and bounded, but those messages may contain private information.
const SESSIONS_DIR = join(HOME, '.openclaw', 'agents', 'main', 'sessions'); ... function loadHistoryMessages(maxSessions = 5, maxMsgsPerSession = 50)
Use history-based auto mode only if you are comfortable with recent chats being read locally; use the task-description recommend mode when you do not want history analyzed.
The skill can see local OpenClaw security configuration details, which may reveal how your gateway is exposed or protected.
The script reads the local OpenClaw gateway configuration to calculate a security score. The visible output prints summary fields such as bind, auth mode, and port rather than secrets.
const CONFIG_PATH = join(HOME, '.openclaw', 'openclaw.json'); ... return JSON.parse(readFileSync(CONFIG_PATH, 'utf8'));
Install only if you want this skill to inspect OpenClaw configuration; avoid sharing the generated report publicly if it exposes your security posture.
The command examples may not work as-is on other systems, and users should verify they are running the installed script from the expected location.
The usage instructions depend on running a Node helper script and show a user-specific absolute path, while the metadata declares no required binaries or install spec.
node "C:\Users\zane\.openclaw\workspace\skills\model-advisor\scripts\advisor.js" auto
Confirm the installed script path and Node runtime before use; package metadata should declare the Node requirement and avoid user-specific absolute paths.