Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
SEEK
v1.0.0Manages free AI models from OpenRouter for OpenClaw. Automatically ranks models by quality, configures fallbacks for rate-limit handling, and updates opencla...
⭐ 0· 66·0 current·0 all-time
by@pz33y
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill is designed to find/rank free OpenRouter models and update OpenClaw config; the code reads OpenRouter APIs and writes ~/.openclaw/openclaw.json which is coherent with the stated purpose. However, registry-level metadata provided above (no required env vars / no primary credential) contradicts the bundled skill.json and SKILL.md which clearly require OPENROUTER_API_KEY.
Instruction Scope
SKILL.md instructs the agent to check OPENROUTER_API_KEY, run the included CLI (freeride/freeride-watcher), and restart the OpenClaw gateway. The runtime instructions and code only read/write OpenClaw config and call OpenRouter endpoints; they do not attempt to read unrelated system files or exfiltrate data to unknown endpoints.
Install Mechanism
The registry metadata here said 'no install spec', but the package includes setup.py, entry points, and skill.json contains an install command (npx clawhub... && pip install -e .). The install is local (pip install -e .) and only depends on 'requests' — no obscure remote binaries or shortened/unknown URLs. The mismatch between 'no install spec' and the included install instructions is an inconsistency to check.
Credentials
Although the top-level metadata listed no required env vars, the SKILL.md, skill.json and code require OPENROUTER_API_KEY and will read it from the environment or from ~/.openclaw/openclaw.json. Requesting access to the user's OpenRouter API key is reasonable for this function, but the metadata mismatch (missing required env at registry level) is an incoherence and should be resolved before trusting the skill.
Persistence & Privilege
always:false and default autonomous invocation are present (normal). The skill writes cache/state under ~/.openclaw (e.g., .freeride-cache.json, .freeride-watcher-state.json) and updates openclaw.json keys only in agents.defaults.model and agents.defaults.models as described. It does not request system-wide privileges or modify other skills' configs.
What to consider before installing
This skill appears to do what it says (manage free OpenRouter models and update OpenClaw config), but there are metadata inconsistencies you should resolve before installing:
- It requires an OPENROUTER_API_KEY (SKILL.md and skill.json) despite the top-level registry data claiming no required env vars. Expect to provide a key and consider creating a dedicated OpenRouter key for this use. Do not reuse high-privilege keys.
- The package includes setup.py and console entry points; installation runs pip install -e . in the skill directory. That will install local Python code into your environment and add CLI commands. Review the included files (main.py, watcher.py) yourself (they are present and readable) before installing.
- The skill will modify ~/.openclaw/openclaw.json (agents.defaults.model, fallbacks, models) and create cache/state files under ~/.openclaw. Back up your openclaw.json before running freeride auto or the watcher.
- Network calls are only to openrouter.ai endpoints; no hidden remote endpoints were found. If you want to be cautious, run the tool in a restricted environment first or inspect/modify the code (e.g., remove auto-daemon behavior) and run a dry-run.
If you are comfortable with the author/source, proceed after backing up config and using a dedicated OpenRouter API key. If the source is unknown or untrusted, ask the publisher to clarify the registry metadata mismatch and provide a verified upstream repository before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk976ceqrn8w6bdq35ggbwc42h9838ah6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.