ClawHub

Free Model Router

Security checks across malware telemetry and agentic risk

Overview

The advertised free-model router mostly matches its main commands, but the package also includes undisclosed marketing and monitoring scripts unrelated to that purpose.

Review before installing. If you only want FreeRide model routing, remove or ignore the `jobs/` directory, back up `~/.openclaw/openclaw.json`, and run only the documented `freeride` commands. Do not run `freeride-watcher --daemon` unless you want continuous automatic model probing and config rotation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill instructs use of environment variables, shell commands, network access, and modification of local configuration files, yet it declares no permissions. This creates a transparency and consent problem: an agent could execute sensitive actions such as reading API keys, writing ~/.openclaw/openclaw.json, and restarting services without an explicit permission boundary.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file's behavior is materially inconsistent with the declared skill purpose: instead of managing free OpenRouter models, it monitors X/Twitter, scores leads, drafts outreach, and stores lead data. This kind of hidden scope expansion is dangerous because it can cause an agent operator to grant permissions or trust appropriate for model management while the code actually performs surveillance and marketing automation.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code fetches social-media posts and mentions, profiles users, scores 'buying intent,' and drafts replies/DMs, none of which is justified by the stated OpenRouter/OpenClaw configuration purpose. In a skill that users expect to manage AI model settings, this hidden collection and processing of third-party social data is especially risky because it is covert and outside reasonable user expectations.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This file performs external website and checkout monitoring for meetrick.ai and associated Stripe/Railway endpoints, which is unrelated to the declared skill purpose of managing free OpenRouter models and updating OpenClaw configuration. That mismatch is dangerous because it hides undisclosed surveillance/exfiltration behavior inside an unrelated skill, increasing the likelihood that operators install code they would not have approved if its true purpose were disclosed.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This file implements outbound lead generation and personalized DM drafting, which is materially unrelated to the declared skill purpose of managing free OpenRouter models and updating openclaw.json. That mismatch is dangerous because it hides growth/marketing automation inside a model-management skill, increasing the chance that operators grant it trust, permissions, or execution they would not otherwise allow.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The README encourages users to run a watcher daemon that monitors rate limits and rotates models while also modifying OpenClaw configuration, but it does not include any warning about what data may be sent to OpenRouter, what files are changed, or the operational/privacy implications of a background process. In an AI-agent context, silently reconfiguring model routing and running a daemon can affect confidentiality, availability, and user trust if prompts or metadata are transmitted to third parties without informed consent.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger language is broad enough to match common conversational phrases like 'free AI,' 'model switching,' or 'reduce AI costs,' which could cause the skill to activate in situations where the user did not intend configuration changes. Because the skill's workflow includes writing config and restarting the gateway, accidental invocation materially increases the chance of unintended system modification.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow directs immediate execution of commands that modify ~/.openclaw/openclaw.json and restart the OpenClaw gateway, but it does not require an explicit warning or confirmation to the user first. Silent local config changes and service restarts can disrupt running sessions, alter model behavior, and create safety issues if performed unexpectedly.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code sends tweet text, usernames, and follower metadata to an external model for scoring without any visible disclosure, consent flow, or data-handling boundary. That exposes third-party content and account metadata to another service and may violate privacy expectations, platform rules, or organizational data-governance requirements.

Missing User Warnings

Low
Confidence
72% confidence
Finding
This code accesses an external social-media data source through the xpost tool without any obvious disclosure in the skill's stated purpose or runtime messaging. While external access alone is not inherently unsafe, it becomes problematic here because it is hidden behind a misleading model-management skill context and collects data unrelated to the advertised function.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code sends page content previews from the monitored sites to an external model-analysis function without any explicit disclosure, consent, or data-handling controls. Even though the targets are public web pages, this still creates an undeclared third-party data flow and could expose checkout content, error messages, tokens in HTML, or business-sensitive page state to an outside model provider.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code sends locally sourced target data and lead context to an external model via call_free_model(prompt) without any visible consent, disclosure, minimization, or classification checks. This can leak personal, proprietary, or sensitive outreach intelligence to a third-party provider, especially since the data originates from files under the user's home directory and may include tweet text and sales context.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill overwrites the user's OpenClaw configuration file directly, with no backup, diff display, or confirmation prompt. A mistaken invocation or unexpected model selection can silently alter runtime behavior and potentially disrupt existing security-relevant settings or availability.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The fallbacks command rewrites model settings immediately and can replace a user's fallback configuration without warning. This creates an integrity and operational-risk issue because legitimate user preferences and recovery behavior may be lost or changed unexpectedly.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The description explicitly advertises automatic fallback switching and the manifest also declares write-relevant OpenClaw config keys, but it does not warn users that configuration may be modified automatically. In a tool that manages models and rate-limit handling, silent changes to the user's active model chain can alter cost, privacy, reliability, or behavior in ways the user did not intend.

Ssd 1

Medium
Confidence
92% confidence
Finding
Untrusted content from tweet_text and target context is interpolated directly into the model prompt, allowing semantic prompt injection that can steer the model away from the intended JSON task, manipulate outputs, or exfiltrate adjacent prompt content. Because this job automatically processes external social data into generated messages, an attacker could craft tweets or context specifically to influence the resulting drafts or break downstream parsing/automation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal