ClawHub

Model Switch

Security checks across malware telemetry and agentic risk

Overview

This model-switching skill is purpose-aligned, but it can persistently change OpenClaw settings and duplicate API keys into multiple auth files without strong confirmation or scoping.

Install only if you are comfortable letting this skill edit your OpenClaw configuration and copy provider API keys into per-agent auth files. Back up `~/.openclaw` first, avoid `switch ALL` unless intentional, review `auth-profiles.json` after use, and prefer narrowly scoped provider keys.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill is presented as a model-switching utility, but this code also imports provider API keys from environment variables and writes them into persistent config and per-agent auth files. Persisting secrets across multiple files expands the attack surface, creates long-lived credential copies, and can surprise users who did not consent to credential storage as part of a simple model-switch workflow.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
This code reads provider API key presence from environment variables as part of normal operation, and elsewhere the skill propagates those credentials into configuration artifacts. While checking for configured credentials is not inherently malicious, bundling credential handling into a broader model-management skill increases the chance of unintended secret exposure and violates least surprise.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The documentation makes conflicting claims about whether the skill will automatically change the current session model or merely print instructions for the user to do so. In a skill that changes configuration and runtime state, this ambiguity can cause unintended model switches, operator confusion, or failed recovery steps because users cannot reliably predict what actions the skill will perform.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README documents commands that update persistent configuration and credential-related files, including auth-profiles and provider key setup, but does not prominently warn users that these actions can modify long-lived settings and authentication mappings. In an automation/agent-skill context, that omission can cause users to run commands with broader side effects than expected, leading to misconfiguration, accidental credential association, or persistent environment changes.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documented `switch ALL <model>` operation implies a bulk persistent change across all agents, but the README does not clearly warn that this can alter defaults and behavior for every agent and future session. In a model-routing tool, broad undocumented scope increases the risk of disruptive fleet-wide misconfiguration, unexpected costs, or service failures if the target provider is not correctly provisioned.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script copies API keys from environment variables into openclaw.json and multiple auth-profiles.json files without an explicit warning that secrets will be persisted in plaintext-like JSON storage. This can expose credentials through local file compromise, backups, logs, sync tools, or overly permissive file permissions, and multiplies the number of locations an attacker can target.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrases include very broad natural-language activators such as '当前模型', '模型问题', and '模型列表', which could easily appear in ordinary conversation. That raises the risk of accidental skill activation, causing configuration inspection or model-switch workflows to start without clear user intent.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The phrase '当你说切到 xxx 时,会自动执行全部 5 步切换' does not define boundaries for what counts as a valid invocation, so normal discussion containing similar wording may be interpreted as a command. Because the described workflow includes updating config and auth-related files, an overly broad trigger can lead to unintended persistent changes, not just a harmless read-only action.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal