Claw Cost Router
Security checks across malware telemetry and agentic risk
Overview
This appears to be a purpose-aligned model-routing plugin, but it runs on startup, changes model choice for every turn, and locally logs prompt snippets by default.
Install only if you want a gateway-level plugin that automatically changes Claude model selection for every turn. Before enabling it, verify the plugin ID used for configuration, tune the skill lists and default model, and decide whether local prompt-snippet logging should be disabled.
VirusTotal
No VirusTotal findings
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Misconfiguration or overly broad defaults could route ordinary chats or unknown skills to a cheaper or more expensive model than expected.
The plugin hooks model resolution and can override the model/provider for each turn. This is the advertised purpose, but users should understand it changes agent behavior globally while enabled.
api.on("before_model_resolve", async (event, ctx) => { ... return { modelOverride: defaultModel, providerOverride: "anthropic" };Review defaultModel, opusSkills, and haikuSkills before enabling, and test routing with non-sensitive prompts.
Sensitive information typed near the start of a message may remain in local OpenClaw plugin logs.
Each routing decision is appended to a local JSONL file, including channel/trigger metadata and the first 80 characters of the prompt.
fs.appendFileSync(logPath, JSON.stringify(record) + "\n"); ... promptHead: prompt.slice(0,80)
Set logging to false if prompt snippets should not be retained, and periodically rotate or delete the decisions.jsonl file.
A user may think they disabled logging or changed routing rules when the runtime plugin is still using defaults.
The documentation uses two different plugin entry names in the same configuration section, which may cause users to place settings under the wrong key.
add a `config` block under `plugins.entries.claw-cost-router` ... "entries": { "model-router": {Confirm the actual plugin ID with `openclaw plugins list` and verify the config key that OpenClaw applies.