OpenRouter Analytics
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is coherent for OpenRouter analytics, but users should notice that it uses OpenRouter account/API credentials and auto-loads local .env files.
This looks appropriate for reviewing OpenRouter usage and troubleshooting data. Install/use it only if you are comfortable giving the agent access to OpenRouter account analytics and local dotenv-based credentials, and be careful with `--raw` or CSV exports because they may contain sensitive account details.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can reveal OpenRouter spend, usage patterns, key-level consumption, and request troubleshooting details to the local agent/session.
The skill needs OpenRouter credentials and can query account-level usage, credits, key-level reporting, and request metadata. This is expected for the stated analytics purpose, but it is still sensitive account access.
`activity`, `credits`, `keys`, and `report` require a **Management API key**. `generation` uses a standard **OpenRouter API key**
Use the least-privileged OpenRouter key available, avoid sharing raw outputs unnecessarily, and revoke or rotate keys if they may have been exposed.
If those dotenv files contain unrelated secrets, they may be loaded into the script process environment, even though the visible code only shows OpenRouter API use.
Dotenv files often contain credentials. The behavior is disclosed and appears intended to load OpenRouter keys, but it may read local files containing other secrets.
The script auto-loads `~/.openclaw/.env` and current-directory `.env` before execution.
Prefer passing the needed OpenRouter token explicitly or ensure the loaded dotenv files contain only credentials you are comfortable exposing to this process.