Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Clawhub Skill
v0.1.4Configure, run, and troubleshoot the OpenRouter hardware-aware classifier router (wizard setup, local model, routing, and dashboard).
⭐ 0· 1.6k·2 current·5 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes an OpenRouter/Xrouter that needs provider endpoints, API keys, and optional local models — these capabilities align with the stated purpose. However, the registry metadata claims no required env vars or primary credential while the documentation explicitly references multiple API keys and a required 'frontier provider endpoint' (ROUTER_API_KEY, CHEAP_API_KEY, etc.). The missing declaration in metadata is an inconsistency.
Instruction Scope
The runtime instructions stay within the router's scope: run npm install, run a configure wizard that scans local hardware and writes upstreams.json/.env, start the server, and expose local endpoints (health, usage, dashboard). The wizard scanning hardware and listing local Ollama models is expected for a hardware-aware router. No instructions are present that obviously exfiltrate data to unexpected external endpoints.
Install Mechanism
This is an instruction-only skill (no bundled code). It instructs the user to run 'npm install' which will pull code and dependencies from the npm ecosystem and then run local scripts. Because the skill bundle provides no source or homepage, the actual code and dependencies that will be installed are unknown to reviewers — this introduces supply-chain risk even though no install spec is bundled.
Credentials
The SKILL.md lists many environment variables including provider API keys and a required frontier provider endpoint; these are proportionate for a router. The concern is that the registry metadata declares no required env vars or primary credential, so sensitive credentials are not declared at install/registration time. The configure wizard will prompt to store keys in .env/upstreams.json, which could persist secrets locally — users should be aware.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and is instruction-only. It will write local configuration files (.env, upstreams.json) and logs in the working directory if you run its wizard — this is expected behavior for a local router and within its scope.
What to consider before installing
This skill appears to be an instruction-only router (Xrouter) whose documentation expects you to run 'npm install' and a configure wizard that will scan hardware and ask for provider API keys, then write configuration files (.env, upstreams.json) and run a local server. That is coherent with its purpose, but there are two important caution points: (1) the registry metadata does not declare the many env vars and credentials the SKILL.md expects — treat that as an inconsistency; (2) the bundle contains no code or source URL/homepage, so running 'npm install' will pull code from upstream npm/github repositories you cannot verify from this package alone. Before installing: verify the upstream repository and package.json (source, maintainer, dependency list), run the wizard in an isolated environment or container, avoid supplying high-privilege credentials (use limited API keys or test accounts), bind the service to localhost (HOST=127.0.0.1) if you don't want it public, and inspect generated files (.env/upstreams.json) before placing real secrets there. If you cannot verify the source or dependency tree, avoid installing or run it in a tightly sandboxed environment.Like a lobster shell, security has layers — review code before you run it.
latestvk9764xp2ewepjbyr3nx6344n4580t8dr
License
MIT-0
Free to use, modify, and redistribute. No attribution required.