ClawHub

A.I. Smart Router

v0.1.2

Expertise-aware model router with semantic domain scoring, context-overflow protection, and security redaction. Automatically selects the optimal AI model using weighted expertise scoring (Feb 2026 benchmarks). Supports Claude, GPT, Gemini, Grok with automatic fallback chains, HITL gates, and cost optimization.

3· 2.4k·11 current·12 all-time
by@c0nspic0us7urk3r
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the included code: router, context guard, compactor, executor, dashboard are coherent with a model-routing skill. However the skill metadata declares ANTHROPIC_API_KEY as required while the README/SKILL.md insists the router works with "at least one provider" (Anthropic should be optional). The package also claims optional provider keys (OPENAI/GOOGLE/XAI) but only Anthropic is required — this mismatch is unexplained.
!
Instruction Scope
SKILL.md and code instruct the agent to read and write state/log files under ~/.openclaw (router-state, logs), run compaction, and call sessions_spawn to delegate to sub-agents. Those file and process operations are reasonable for a router, but the SKILL.md contains prompt-injection patterns (e.g., 'ignore-previous-instructions', 'system-prompt-override') which indicate the runtime instructions themselves may attempt to manipulate prompts or the agent's instruction context. The README also mentions a HITL Telegram notification but no TELEGRAM token is declared — unclear where notifications are sent. Several env/config names (ROUTER_STATE_DIR, ROUTER_LOGS_DIR, openclaw.json/openclaw auth profiles) are used but not declared in requires.env.
Install Mechanism
No install spec is declared (instruction-only), and the README instructs copying/cloning the folder into the skills directory. That is low-risk compared with arbitrary download/executable installers. Code is provided (so files will run on-host), but there is no remote installer URL or archive extraction to flag.
!
Credentials
The registry metadata requires only ANTHROPIC_API_KEY, yet the code and SKILL.md clearly expect (and offer) optional provider keys for OpenAI/Google/xAI and refer to other envs (ROUTER_STATE_DIR, ROUTER_LOGS_DIR). The HITL/Telegram behavior references notifications without declaring a TELEGRAM_TOKEN. In short: the declared required envs are incomplete/ inconsistent with runtime behavior, and the skill will access file-system paths and optional credentials not listed as required.
Persistence & Privilege
always:false (good). The skill persists state and logs under ~/.openclaw and can modify its own state files (circuit breaker, logs, archives). It also can invoke sessions_spawn to create sub-agents — this is expected for a router but increases blast radius if the skill is malicious. There is no request to modify other skills or system-wide configs, and it doesn't force permanent inclusion.
Scan Findings in Context
[ignore-previous-instructions] unexpected: Prompt-injection pattern found inside SKILL.md. A model-router should not include instructions to override prior system instructions; this could be an attempt to manipulate agent behavior at runtime.
[system-prompt-override] unexpected: SKILL.md contains wording/markers that match system-prompt override patterns. This is a red flag because the skill's runtime instructions could be trying to change the agent's system prompt or instruction context.
What to consider before installing
This skill appears mostly consistent with a multi-provider model router, but there are several red flags you should address before installing: 1) The metadata claims only ANTHROPIC_API_KEY is required, but the code expects additional optional provider keys and uses router/log state env vars that aren't declared — don't export credentials you don't intend to use. 2) The SKILL.md contains prompt-injection patterns (e.g., 'ignore-previous-instructions', 'system-prompt-override'); review the SKILL.md and all code for any instructions that attempt to change the agent's system prompt or execute unbounded commands. 3) The HITL gate references Telegram notifications but no TELEGRAM_TOKEN is declared — find where notifications are sent and verify you control that endpoint. 4) Because the skill can read/write ~/.openclaw state and invoke sessions_spawn (spawning sub-agents), run it in an isolated environment or sandbox (or inspect and strip the code) if you decide to try it. 5) If you trust the author and want to proceed, at minimum: (a) audit the code for external network calls/endpoints, (b) remove or neutralize any prompt-override directives, (c) only set provider keys you intend to allow, and (d) run it with least privilege and logging enabled so you can observe behavior. If you want, provide the omitted files or the rest of SKILL.md and I can re-scan for external endpoints, Telegram logic, or other undisclosed behaviors.

Like a lobster shell, security has layers — review code before you run it.

agent-safetyvk977x7rpa7rm5srsw3hz6b5vg980g5kaagent-toolingvk977x7rpa7rm5srsw3hz6b5vg980g5kaagentic-workforcevk977x7rpa7rm5srsw3hz6b5vg980g5kaanthropic-opusvk977x7rpa7rm5srsw3hz6b5vg980g5kaauth-guardvk977x7rpa7rm5srsw3hz6b5vg980g5kaautomationvk97cafph10hy8pwyytv74ph2es80eazzclaudevk974g4b4krg9sjvqqrm4g0rb3n80fwa1clawhubvk977x7rpa7rm5srsw3hz6b5vg980g5kacontext-guardvk977x7rpa7rm5srsw3hz6b5vg980g5kacontext-managementvk97cafph10hy8pwyytv74ph2es80eazzcontext-resiliencevk977x7rpa7rm5srsw3hz6b5vg980g5kacost-optimizationvk97cafph10hy8pwyytv74ph2es80eazzefficiency-awarevk977x7rpa7rm5srsw3hz6b5vg980g5kaethical-agentsvk977x7rpa7rm5srsw3hz6b5vg980g5kaexpertise-awarevk977x7rpa7rm5srsw3hz6b5vg980g5kafallbackvk974g4b4krg9sjvqqrm4g0rb3n80fwa1geminivk974g4b4krg9sjvqqrm4g0rb3n80fwa1gemini-provk977x7rpa7rm5srsw3hz6b5vg980g5kagptvk974g4b4krg9sjvqqrm4g0rb3n80fwa1grokvk974g4b4krg9sjvqqrm4g0rb3n80fwa1idempotency-fixvk977x7rpa7rm5srsw3hz6b5vg980g5kalatestvk977x7rpa7rm5srsw3hz6b5vg980g5kallm-opsvk977x7rpa7rm5srsw3hz6b5vg980g5kalogic-precisionvk97cafph10hy8pwyytv74ph2es80eazzmoltbook-devsvk977x7rpa7rm5srsw3hz6b5vg980g5kamulti-modelvk974g4b4krg9sjvqqrm4g0rb3n80fwa1multi-providervk977x7rpa7rm5srsw3hz6b5vg980g5kano-more-overflowvk977x7rpa7rm5srsw3hz6b5vg980g5kaopenclawvk977x7rpa7rm5srsw3hz6b5vg980g5kaprivacy-firstvk977x7rpa7rm5srsw3hz6b5vg980g5karoutingvk974g4b4krg9sjvqqrm4g0rb3n80fwa1secure-routingvk977x7rpa7rm5srsw3hz6b5vg980g5kasecurity-hardenedvk977x7rpa7rm5srsw3hz6b5vg980g5kasmart-routingvk977x7rpa7rm5srsw3hz6b5vg980g5kav2.1.0vk977x7rpa7rm5srsw3hz6b5vg980g5kazero-trust-aivk977x7rpa7rm5srsw3hz6b5vg980g5ka

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython3
EnvANTHROPIC_API_KEY

Comments