Back to skill
Skillv1.0.0
ClawScan security
Iblai Openclaw Router · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewFeb 20, 2026, 8:09 AM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill largely does what it says (a local routing proxy) but the package metadata, install behavior, and secret handling are inconsistent and risky — review before installing.
- Guidance
- This package implements a local proxy and will install a systemd service and modify your OpenClaw config. Before installing: 1) Inspect server.js and config.json yourself to confirm behavior and upstream URLs. 2) Edit scripts/install.sh to avoid auto-extracting your API key (the script greps ~/.openclaw/agents/main/agent/auth-profiles.json) — do not allow the installer to embed secrets into /etc/systemd/system/*.service. Prefer using an EnvironmentFile with restricted permissions or systemd secret mechanisms, or export ANTHROPIC_API_KEY at runtime instead. 3) Back up ~/.openclaw/openclaw.json and test registration manually rather than letting the installer modify it automatically. 4) If you must run it, run in an isolated environment (container or VM) first and verify that the router only forwards to your configured LLM provider. 5) After install, check /etc/systemd/system/iblai-router.service for embedded secrets and remove/rotate any secret that was written there. The inconsistencies (metadata claiming no env vars / instruction-only vs included code that needs a key and writes configs) are likely sloppy engineering but could expose secrets if installed without care.
Review Dimensions
- Purpose & Capability
- concernThe code and README implement a local Anthropic/OpenRouter proxy which matches the stated purpose. However the registry metadata declared 'no required env vars' and 'instruction-only' while the package includes server.js and install scripts that require an ANTHROPIC_API_KEY and create a systemd service — an incoherence between claims and actual requirements.
- Instruction Scope
- concernSKILL.md and README instruct running scripts that will copy files to ~/.openclaw/workspace/router, create/enable a systemd service, and modify ~/.openclaw/openclaw.json to register the provider. The installer also attempts to auto-detect an Anthropic key by grepping ~/.openclaw/agents/main/agent/auth-profiles.json. Reading/writing other agent config and extracting API keys is outside a purely 'instruction-only' description and broadens scope.
- Install Mechanism
- concernInstall is local (no external downloads) and just copies files and creates a systemd unit. That itself is reasonable for a local proxy, but the installer writes the detected Anthropic API key directly into the systemd unit (Environment=ANTHROPIC_API_KEY=...). Embedding secrets into unit files can expose them to other users/processes and is poor secret management.
- Credentials
- concernThe package metadata declares no required env vars, but server.js requires ANTHROPIC_API_KEY and the install script actively searches for the user's Anthropic key and places it into the unit file. The README also suggests configuring 'apiKey passthrough' in OpenClaw, but the router ignores incoming x-api-key and uses the environment key — this mismatch is confusing and potentially leads to unexpected key usage/exposure.
- Persistence & Privilege
- noteThe installer creates a persistent systemd service (Restart=always) and registers a model provider in OpenClaw config. Persistent local services and config changes are expected for this functionality, but combined with the secret-handling behavior above this persistence increases the blast radius if misconfigured.