Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Model Manager
v1.0.1OpenClaw 模型配置管理技能。用于添加、删除、更新、查看、切换、检测模型配置。当用户需要:(1) 添加新模型到配置 (2) 删除模型 (3) 更新模型参数(contextWindow、maxTokens等)(4) 查看当前模型列表 (5) 切换主模型 (6) 检查模型可用状态(测试连接)(7) 修复模型配置...
⭐ 0· 68·0 current·0 all-time
by@the2015
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description align with the instructions: adding/removing/updating models, switching primary model, and testing connectivity. However, the SKILL.md explicitly references a local config path (C:\Users\Administrator\.openclaw\openclaw.json) while the registry metadata lists no required config paths — a mild inconsistency in metadata vs. runtime expectations.
Instruction Scope
Runtime instructions tell the agent to read the OpenClaw configuration (including provider API keys), modify it, restart the gateway, and perform parallel HTTP test requests to each provider. These actions are within scope for a model manager, but they include reading secrets from local config and making outbound network calls to provider endpoints — both are sensitive behaviors the user should expect and approve.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk. Nothing is downloaded or written by an installer.
Credentials
The skill does not request environment variables, but it instructs reading provider API keys from the local openclaw.json. Access to those API keys is required for connectivity testing, so the behavior is proportionate to the purpose, but the metadata omits declaring required config paths and secrets. Additionally, references/model-info.md lists provider endpoints; at least one domain (https://wbz-api.939593.xyz) is an unrecognized third-party domain and should be vetted before any tests that would send stored API keys to it.
Persistence & Privilege
No elevated persistence requested (always: false). The skill instructs use of gateway(action=restart) to apply changes, which is normal for configuration changes but requires appropriate privileges; nothing indicates the skill will modify other skills or system-wide settings beyond the OpenClaw config.
What to consider before installing
This skill appears to do what it claims (edit openclaw.json, test provider connectivity), but it will read provider API keys from your OpenClaw config and make HTTP requests to provider endpoints. Before installing or invoking: 1) Back up your openclaw.json. 2) Inspect the config for provider entries and untrusted endpoints (e.g., the reference includes an unfamiliar domain wbz-api.939593.xyz). 3) Ensure you are comfortable the skill may transmit stored API keys to the listed provider URLs. 4) Prefer running connectivity tests in a controlled environment or with revoked/test keys first. 5) Confirm you have permission to restart the gateway and that restarting won't disrupt critical workflows. If you want stronger assurances, request the author/source or a signed/official package and ask them to declare required config paths in the metadata.Like a lobster shell, security has layers — review code before you run it.
latestvk97dwn56wv316516thk1kn95w5848yrb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.