ℹ
Purpose & Capability
The code implements monitoring, scraping, report generation, and deployment (modifying OpenClaw config)—this matches the stated purpose. However metadata is inconsistent: the top-level registry 'Requirements' reported no required env vars, while skill.json and README clearly require an OPENROUTER_API_KEY (and mention Feishu OAuth). That mismatch between declared registry requirements and the packaged skill.json is a red flag.
!
Instruction Scope
Runtime instructions and code read and write the user's ~/.openclaw/openclaw.json, prompt for an OpenRouter API key, scrape multiple external websites, cache results to ~/.openclaw/.ai-model-steward, and (when approving) modify the global OpenClaw agents.defaults.model fallback list. Those file accesses and global-config modifications go beyond mere 'reporting' and are high-impact; the SKILL.md does not clearly warn users that installing will alter their OpenClaw config.
✓
Install Mechanism
No remote downloads or extract operations; packaging is a normal Python project (setup.py) with a single dependency (requests). Install via pip install -e . is standard and proportional.
ℹ
Credentials
The skill legitimately needs an OpenRouter API key to call the OpenRouter API (skill.json documents OPENROUTER_API_KEY). The repository and README also mention optional Feishu (飞书) tokens for saving reports. The initial registry metadata (shown above) incorrectly listed no required env vars — this discrepancy should be resolved before trusting the skill.
!
Persistence & Privilege
The skill modifies a global agent configuration file (~/.openclaw/openclaw.json): it creates backups and writes updated configs to add/remove models in the fallback chain. Modifying other skills'/global agent settings is a high privilege action; although it is aligned with the declared deployment purpose, it substantially increases risk if the skill or its credentials are compromised.
What to consider before installing
What to consider before installing:
- Metadata mismatch: the registry summary showed no required env vars, but skill.json and the code require OPENROUTER_API_KEY (and optionally Feishu tokens). Don't trust the top-line registry claim — verify the skill.json and README.
- Back up your OpenClaw config (~/.openclaw/openclaw.json) before installing or running this tool. The deployer will read, backup, and overwrite that file to add/remove fallback models.
- Review the code yourself (or have someone you trust audit it). The package is pure Python and readable; check any missing modules (e.g., bitable_writer referenced but not included) and confirm no hidden network endpoints.
- Limit credentials: if you provide OPENROUTER_API_KEY or Feishu app tokens, prefer creating least-privilege tokens or using ephemeral/test accounts first. The tool will read tokens from your openclaw.json or prompt for them.
- Run in an isolated environment first (VM or non-production user account) to confirm behavior (what files are written, how backups are made, what network calls occur).
- If you plan to allow automated cron runs, be aware that scheduled execution plus the ability to modify global config increases blast radius—ensure you trust the author or have internal approval processes in place.
If you want, I can: (a) list the exact lines that read/write ~/.openclaw/openclaw.json, (b) show where the code prompts for or uses credentials, or (c) suggest a minimal safe test plan to run the tool in isolation.
