Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description and code/config align: the skill provides registration guides, pricing comparison, status checks, and stores API keys in .openclaw/.env. The functionality requested (reading/writing local .openclaw/.env, supporting many LLM platform keys) is expected for this purpose. Minor inconsistency: README/SKILL.md claim the .env is added to .gitignore, but no .gitignore file is present in the package—so keys could be accidentally committed unless the user adds .gitignore themselves.
Instruction Scope
SKILL.md and the scripts instruct only to list platforms, show guides, compare pricing, and read/write .openclaw/.env or run the included node scripts; there are no instructions to read unrelated system files, call external arbitrary endpoints, or exfiltrate data. Asking users to provide API keys for storage is within the skill's stated scope.
Install Mechanism
No install specification or external downloads are used. The skill is distributed as source files (Node.js scripts and config) and runs locally; that is a low-risk installation model compared to fetching remote binaries.
Credentials
The skill does not declare required environment variables but is designed to accept and store many service API keys (OpenAI, Claude, GitHub Copilot, Gemini, Qwen, Baidu, OpenRouter) — this is proportionate to its credential-management purpose. Caution: keys are stored in plaintext in .openclaw/.env; the bundle promises .gitignore protection but does not include that file, increasing the risk of accidental commit. The code masks keys when displaying them but does not encrypt secrets at rest.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It will create a .openclaw directory and write .openclaw/.env in the current working directory (or INIT_CWD). This is expected for local credential storage but means secrets are persisted on disk under the project directory.
Assessment
This skill appears to do what it says: it helps you register services, compare pricing, and store API keys locally. Important cautions before installing/using: 1) It stores API keys unencrypted in .openclaw/.env in your current project directory — add .openclaw/.env to your .gitignore immediately to avoid accidental commits (the package claims this but does not include a .gitignore). 2) Verify file permissions on .openclaw/.env and consider using a system secret manager or encrypted store if you need stronger protection. 3) Only paste secrets into the agent if you trust the skill and runtime — any secret you provide will be written to disk. 4) Rotate keys if you suspect they were exposed. If you want encryption or central secret management, modify the code to use a secure store before saving keys.Like a lobster shell, security has layers — review code before you run it.
latestvk976ekv9fqfrn0t2jk145ar9yd8514dt
License
MIT-0
Free to use, modify, and redistribute. No attribution required.