ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

MetriLLM

v0.2.11

Find the best local LLM for your machine. Tests speed, quality and RAM fit, then tells you if a model is worth running on your hardware.

0· 356·0 current·0 all-time
by@thebluehouse75
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the instructions: it tells you how to install the metrillm CLI, requires Node 20+ and a local LLM server (Ollama or LM Studio), and runs benchmarking commands. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
Instructions stay within the benchmarking scope (run metrillm bench, view local ~/.metrillm/results/). One caution: the optional --share command uploads results (model name, scores, hardware specs) to metrillm.dev; the SKILL.md states no personal data is sent, but that claim cannot be verified from instructions alone. The skill does not instruct access to unrelated files or env vars.
Install Mechanism
Installation is via npm (npm install -g metrillm) which is a standard delivery for a Node CLI. npm installs are moderate-risk because they execute third-party code on your system; this is proportionate to the stated purpose but you should inspect the package or source repository before global installation.
Credentials
No environment variables, credentials, or config paths are required. The only data potentially exported is from the explicit --share action (model, scores, hardware specs), which is reasonable for a community leaderboard.
Persistence & Privilege
The skill is not always-enabled and is user-invocable. It does not request persistent elevated privileges or modify other skills. Autonomous invocation is permitted by default (normal), but nothing in the skill attempts to gain extra persistence.
Assessment
This skill is coherent for benchmarking local LLMs, but take two precautions before installing: (1) review the npm package / GitHub repo (https://github.com/MetriLLM/metrillm) or audit the package contents before running npm install -g, since global npm installs execute third-party code on your machine; (2) only use --share if you consent to publishing model names, scores and hardware details (the README says no personal data is sent, but verify what the package actually uploads). Also ensure you have Node 20+ and run Ollama or LM Studio locally as instructed.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f9yq4m2ek6caayshejwn2ms82a5ey

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments