FreeRide -Gateway
ReviewAudited by ClawScan on May 10, 2026.
Overview
Review before use: this skill routes prompts through an unauthenticated local gateway that uses your real provider API keys, and it also documents config-changing, telemetry, and background-daemon features.
Use this only if you understand and trust the FreeRide gateway. Before wiring tools to it, confirm which provider keys are configured, whether telemetry is acceptable, and whether automatic failover to multiple providers matches your privacy expectations. Do not let an agent run config-changing commands such as `freeride bind` or `freeride auto` without your approval.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your provider keys could be used through the local gateway without a meaningful inbound secret, potentially consuming free-tier limits, paid credits, or sending prompts under your account.
The gateway accepts unauthenticated local requests while using real provider credentials for outbound calls, so any client able to reach the local port could consume the user's provider quota or account authority.
The API key value is irrelevant — FreeRide doesn't authenticate inbound requests; it uses the user's real provider keys (which it reads from env vars like `OPENROUTER_API_KEY`) for outbound calls.
Only run the gateway on a trusted machine, keep it bound to localhost, set only the provider keys you intend to use, and prefer an authenticated or access-controlled local setup if available.
Sensitive prompts may leave your machine and be processed by whichever configured provider is selected or used as fallback.
Prompts and completions may be sent to different external providers automatically. This is aligned with the gateway purpose, but it affects privacy, logging, and provider terms.
forwards to whichever free-tier provider the user has keys for, failing over across providers and keys when one rate limits or errors
Avoid sending confidential data unless you accept the policies of all configured providers; limit configured providers/keys and check `_freeride_provider` or `X-FreeRide-Provider` when provider choice matters.
Your agent or tool configuration could be changed to route future AI requests through FreeRide.
The documented CLI can modify agent configuration. This is purpose-aligned for wiring clients to the gateway, but it changes future agent behavior and should not be done silently.
`freeride bind <agent>` # write gateway URL into agent config ... `freeride auto` # auto-configure OpenClaw
Require explicit user approval before running `freeride bind` or `freeride auto`, and back up or review config files before and after changes.
Operational information could be sent as telemetry without the user understanding exactly what is collected.
The artifact discloses telemetry but does not describe what the beacon sends, where it goes, or its retention. The opt-out framing leaves the data-flow scope unclear.
`freeride telemetry [on|off]` # manage telemetry beacon ... `First-run banner spam` | `Telemetry disclosure (one-time)` | `Run freeride telemetry off to opt out`
Review FreeRide's telemetry policy before use and run `freeride telemetry off` if you do not want telemetry.
A background component may continue managing routing/failover, and local state may persist across restarts.
The skill documents a background daemon and persistent state. This appears related to failover, but users should know when something continues running or stores state after the immediate task.
`freeride-watcher` # background daemon, rotates on failure ... Cooldowns persist across restarts (`~/.freeride/cooldown.json`).
Only start the watcher intentionally, know how to stop it, and periodically review or remove `~/.freeride` state if no longer needed.
The security of the actual gateway depends on the external FreeRide installation, not on reviewed code in this skill.
The reviewed skill contains only instructions and relies on an external `freeride` binary that is not part of the supplied artifacts, so its implementation and provenance are outside this review.
Source: unknown; Homepage: none; No code files present — this is an instruction-only skill.
Install or keep FreeRide only from a trusted source, verify the binary path, and update it through a reputable channel.