Add Siliconflow Provider 1

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent guide for adding SiliconFlow as an OpenClaw model provider, with normal configuration and third-party API caveats.

Install this only if you intend to configure SiliconFlow in OpenClaw. Treat the SiliconFlow API key as a secret, review the fallback changes before applying them, and assume future prompts and metadata sent through this provider may leave your local system for SiliconFlow’s service.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger list includes very broad phrases such as adding generic model families or popular model names, which can cause the skill to activate when a user merely discusses Kimi, Qwen3, or free models rather than explicitly requesting SiliconFlow integration. In an agent environment, unintended invocation can lead to configuration drift, accidental provider changes, or prompting the user to disclose/provider-use credentials unnecessarily.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the user to send an API key to third-party SiliconFlow endpoints but does not clearly warn that the key and subsequent prompts/data will be transmitted خارج the local system to an external provider. This omission creates a real risk of administrators enabling data egress without understanding privacy, retention, jurisdiction, or account-compromise implications.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal