发现、对比和配置多平台免费/低价 AI 模型
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is mostly a straightforward local CLI for listing models and changing OpenClaw model settings, but users should notice that it can persistently change their default agent model and uses provider API keys.
This appears safe for its stated purpose, but it is not just a model list: its auto and switch commands edit your persistent OpenClaw configuration. Back up ~/.openclaw/openclaw.json if you care about reverting easily, and only configure provider API keys you are comfortable letting OpenClaw use.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the configuration commands can change which AI model OpenClaw uses by default, and those changes remain until manually changed again.
The CLI's auto and switch commands persistently modify OpenClaw's default model configuration. This matches the stated purpose, but it changes agent behavior and should be user-directed.
config["agents"]["defaults"]["model"]["primary"] = primary_model ... config["agents"]["defaults"]["model"]["primary"] = model_id ... save_config(config)
Only run auto or switch when you intend to change your OpenClaw model settings; consider backing up ~/.openclaw/openclaw.json before using it.
If configured, these keys may allow OpenClaw or related tooling to use your model-provider accounts and quotas.
The skill declares optional provider credentials for model services. These are expected for the stated integrations, and the supplied code only checks whether they are present.
"OPENROUTER_API_KEY" ... "GROQ_API_KEY" ... "GOOGLE_API_KEY" ... "HF_TOKEN"
Use provider keys with the least necessary scope, monitor usage, and remove keys you no longer need.
You have less registry-level information about where the package came from or how it should be installed.
The registry metadata provides limited provenance and no install spec, while the package includes setup.py and README instructions to install a local CLI. The included setup.py is simple and has no external dependencies, so this is a provenance/documentation note rather than a concrete unsafe behavior.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Review the included files before installation and prefer installing from a verified repository if available.