ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Free Ride - Unlimited free AI

v1.0.9

Manages free AI models from OpenRouter for OpenClaw. Automatically ranks models by quality, configures fallbacks for rate-limit handling, and updates opencla...

413· 57.5k·421 current·452 all-time
byShaishav Pidadi@shaivpidadi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, description, requested network access (openrouter.ai) and the single secret (OPENROUTER_API_KEY) align with a tool that lists, ranks, and configures OpenRouter free models. However, the SKILL.md claims FreeRide 'preserves everything else' and only writes agents.defaults.model and agents.defaults.models, while the code's setup_openrouter_auth() will add an auth profile under config['auth']['profiles'] if missing. That is a functional change to the OpenClaw config not stated in the docs.
Instruction Scope
Runtime instructions (set OPENROUTER_API_KEY, pip install -e ., run 'freeride auto', restart gateway) are appropriate. The code reads the full OpenClaw config (~/.openclaw/openclaw.json) and may write cache and watcher state files (declared in SKILL.md). The mismatch is that the SKILL.md explicitly promises to only touch certain keys but the implementation also ensures an OpenRouter auth profile is present (modifies config['auth']). This is scope-creep relative to the documentation and should be disclosed to users.
Install Mechanism
Install is via local pip (pip install -e .) from the package included in the skill; setup.py only depends on requests. No remote, arbitrary downloads or obscure URLs are used. The skill.json contains an install helper (npx clawhub...) but nothing in the files indicates high-risk install behavior.
Credentials
Only OPENROUTER_API_KEY is required (env or stored in OpenClaw config). That matches the skill's purpose. The code supports multiple keys (JSON array) for rotation, which is reasonable for a tool intended to handle rate limits. No other secrets or unrelated credentials are requested.
Persistence & Privilege
The skill does not request always:true and is user-invocable. It will create and update files under ~/.openclaw (openclaw.json, .freeride-cache.json, .freeride-watcher-state.json). The watcher can run as a daemon and will periodically make network requests using your API key(s) to probe models and rotate them. This long-running behavior is expected for auto-rotation but increases the blast radius if the keys are compromised or misused—users should be aware before enabling the daemon.
Scan Findings in Context
[no_findings] expected: No pre-scan injection signals were detected. The code performs network requests to openrouter.ai and filesystem reads/writes under ~/.openclaw, which are expected for this skill.
What to consider before installing
This skill appears to do what it says (manage OpenRouter free models) and only needs your OpenRouter API key(s). Before installing: 1) Back up ~/.openclaw/openclaw.json (the skill will read and modify it). 2) Note the implementation will add an OpenRouter auth profile to your OpenClaw config (not highlighted in SKILL.md) and will create cache and watcher state files under ~/.openclaw. 3) If you enable the freeride-watcher daemon it will periodically use your key(s) to probe/rotate models — only enable if you trust the code and your keys. If you're unsure, inspect the included Python files locally (main.py and watcher.py) or run commands manually without the daemon. Overall: coherent functionality but the docs understate some config changes and the daemon behavior, so proceed with caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk973rxjm4hfndxhb97s3z985f584w8v3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Environment variables
OPENROUTER_API_KEYrequiredOpenRouter API key — get a free one at openrouter.ai/keys

Comments