ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenRouter Analytics

v1.0.0

Review OpenRouter usage, analytics, and troubleshooting data via API. Use when the user asks for spend/usage monitoring, activity trends, per-key management...

0· 652·0 current·0 all-time
byPedro Gonzalez@plgonzalezrx8
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The script and SKILL.md implement OpenRouter management and per-request debugging operations (activity, credits, keys, generation) that fit the skill name/description. However, the registry metadata declares no required environment variables or config paths while the runtime requires OPENROUTER_MANAGEMENT_KEY and OPENROUTER_API_KEY — an omission in the manifest that reduces transparency.
Instruction Scope
Runtime instructions ask the user to run the included Python script and describe expected flags. The SKILL.md and script both state the script will auto-load ~/.openclaw/.env and a current-directory .env before execution — this means the skill will read user dotfiles for credentials/config, which is reasonable for a CLI but should have been declared explicitly.
Install Mechanism
No install spec is provided (instruction-only with an included helper script). Nothing in the package attempts to download or install external code during install. This is the lowest-risk install model.
!
Credentials
The credentials the script uses (a management key for aggregate data and a regular API key for per-request lookups) are proportionate to the stated functionality. However, the registry declares no required environment variables or config paths while the script depends on OPENROUTER_MANAGEMENT_KEY and OPENROUTER_API_KEY and will read ~/.openclaw/.env and ./.env — the lack of these declarations is an incoherence and a transparency/privacy concern.
Persistence & Privilege
The skill does not request permanent/always-on presence and does not modify other skills or system-wide settings. It runs as a user-invoked script and doesn’t appear to attempt privilege escalation.
What to consider before installing
Before installing or running: (1) Recognize that the script requires two OpenRouter keys (OPENROUTER_MANAGEMENT_KEY and OPENROUTER_API_KEY) even though the registry metadata lists none — confirm you are comfortable providing those. (2) The script auto-loads ~/.openclaw/.env and ./.env; inspect those files for other secrets before running or move keys to a dedicated env file. (3) Review the full script (included) for any network endpoints or unexpected behavior (the visible code calls https://openrouter.ai/api/v1). (4) Run the script in an isolated environment (or with test keys) if you’re unsure about the source, and ask the publisher to update the package metadata to declare required env vars and config paths for transparency. (5) If you want higher assurance, request or verify an official homepage or trusted publisher identity before trusting management-level keys.

Like a lobster shell, security has layers — review code before you run it.

latestvk97axx6smwx7cvvh0y55yyvwcn81ck0m

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments