Skillv1.0.1

ClawScan security

Switch Modes · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 10, 2026, 5:04 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions and requirements are generally consistent with its stated purpose (switching the agent's model), but it reads/writes the user's OpenClaw config file and has a couple of minor inconsistencies and privacy considerations you should review before using it.
Guidance: This skill appears to do what it says (switch your agent's model by editing OpenClaw config files), but take these precautions before installing: (1) inspect your ~/.openclaw/openclaw.json to confirm it doesn't expose secrets you wouldn't want read or printed by the agent; (2) back up openclaw.json before using the skill so you can restore settings if something goes wrong; (3) consider requesting the skill author set disableModelInvocation:true if you don't want the model to call this skill autonomously; (4) verify whether changes are intended to be session-local or persistent—the SKILL.md is inconsistent on that point; (5) check file permissions on ~/.openclaw to limit unintended access. If you want, I can draft a safer SKILL.md that explicitly avoids printing secrets and documents persistence and invocation behavior.

Review Dimensions

Purpose & Capability: okThe name/description (switching modes/models) matches the runtime instructions: reading a mode mapping file and updating the OpenClaw config's model field. No unrelated APIs, binaries, or credentials are requested in the metadata.
Instruction Scope: noteInstructions explicitly tell the agent to read/write ~/.openclaw/openclaw.json and to create ~/.openclaw/workspace/switch-modes.json. That is within scope for changing the default model, but the skill also recommends specific vendor model IDs and relies on an AskUserQuestion primitive (agent action) which should be present in your agent environment.
Install Mechanism: okInstruction-only skill with no install spec or code to download — lowest-risk delivery model. Nothing is being written to disk by an installer beyond the normal config files the skill itself creates at runtime.
Credentials: concernThe skill declares no required env vars, but it instructs the agent to read ~/.openclaw/openclaw.json. That file likely contains API keys or other sensitive fields. The skill does not mention handling or avoiding exposure of such secrets when reading or displaying the config, so there is a risk of inadvertent leakage or misuse of credentials if the agent logs or reports file contents.
Persistence & Privilege: concernThe skill does not set always:true (good) and does not disable model invocation, so the agent may invoke it autonomously. Also the SKILL.md contains an internal inconsistency: it claims "Changes only affect the current session's default model" while its actions write back to ~/.openclaw/openclaw.json (a persistent change). You should confirm expected persistence and whether autonomous invocation is acceptable.