Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Free AI Bot
v1.0.0🤖 Free AI Bot - 免费 AI 聚合器。整合 Ollama 本地模型 + Cloudflare Workers AI + Groq 等免费资源,智能路由+故障转移,让 AI 零成本运行。
⭐ 0· 133·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (local Ollama + free cloud fallbacks) align with the included script and SKILL.md. The primaryEnv OLLAMA_HOST is appropriate. However, registry metadata requires the 'curl' binary while the Python script uses the 'requests' library (no use of curl anywhere) and no Python dependencies are declared—this is an incoherence between declared requirements and actual implementation.
Instruction Scope
SKILL.md instructs exactly what the script does (set OLLAMA_HOST, optional CF/GROQ tokens, run the Python script). The script only calls the listed providers. It does not attempt to read unrelated system files or exfiltrate arbitrary data. However, the call_cloudflare() implementation contains a syntax/URL bug (f-string uses {account_id/ai/run/... which is invalid and will produce a runtime error), so Cloudflare calls will fail or be malformed. The code prints errors to stderr but would not silently exfiltrate secrets; still, providing real API tokens would cause them to be transmitted to external provider endpoints (as intended) — be cautious.
Install Mechanism
No install spec is provided (instruction-only plus bundled script), so the skill does not download or install third-party binaries during installation. This is lower risk. Note: the repository/script expects Python and the 'requests' package, but no dependency management (requirements.txt) or install steps are declared.
Credentials
Requesting OLLAMA_HOST as the primary credential is proportionate to the stated purpose. The script also optionally reads CF_ACCOUNT_ID, CF_API_TOKEN, and GROQ_API_KEY to call external providers—these are relevant but are not listed as 'required' in the registry metadata (they are optional). Users should understand that providing those tokens will send them to the respective external APIs. No unrelated credentials are requested.
Persistence & Privilege
The skill does not request always: true, does not persist configuration across other skills, and does not modify system-wide settings. It runs as an on-demand script and has no elevated persistence or privileges.
What to consider before installing
This skill appears to implement what it claims (use local Ollama first, then Cloudflare or Groq as fallbacks), but there are sloppy/incoherent parts you should address before trusting it with real API keys: (1) The metadata declares 'curl' but the script uses Python's requests — install the requests package (pip install requests) or update the skill metadata; (2) call_cloudflare() contains a malformed f-string/URL and will fail — inspect and fix the Cloudflare endpoint before supplying CF credentials; (3) No requirements.txt or dependency declaration exists, so run in an isolated environment (virtualenv/container) to avoid supply-chain surprises; (4) Only provide CF/Groq tokens if you trust those external services and understand that those tokens will be sent to their APIs; (5) If you want higher assurance, request the upstream source repository or a corrected release from the author, or patch the script locally to fix the URL and add dependency declarations. Because these issues look like developer mistakes rather than clear malice, treat the skill as usable after review/fixes, but do not supply sensitive credentials until you or the author fix the code and confirm endpoints.Like a lobster shell, security has layers — review code before you run it.
aivk97ds4kx1dqgnjvcgm29mr5q8s8394jkfreevk97ds4kx1dqgnjvcgm29mr5q8s8394jklatestvk97ds4kx1dqgnjvcgm29mr5q8s8394jkollamavk97ds4kx1dqgnjvcgm29mr5q8s8394jk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🤖 Clawdis
Binscurl
Primary envOLLAMA_HOST