ClawHub

Free Ride 1

Security checks across malware telemetry and agentic risk

Overview

FreeRide appears purpose-built for OpenRouter model management, but its install identity is inconsistent and it can persistently change OpenClaw’s global model settings.

Review this before installing. Verify that the ClawHub slug, repository, install command, local path, and version all refer to the same FreeRide package. Use a dedicated OpenRouter key, avoid sharing config or terminal output containing it, back up ~/.openclaw/openclaw.json before running config-changing commands, and run freeride-watcher --daemon only if you want ongoing automatic model rotation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill instructs access to sensitive environment data, local files, network resources, and modification of the user's OpenClaw configuration, but it does not declare permissions. That creates a transparency and consent problem: users and orchestrators cannot accurately assess or gate what the skill will do before execution, increasing the risk of unintended secret exposure or config tampering.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The documented purpose presents the skill as a simple config helper, but the behavior includes active network probing of models, persistent monitoring, automatic config rotation, and watcher state management. This mismatch is dangerous because users may authorize a low-risk configuration task without realizing they are enabling ongoing background activity, external requests, and autonomous changes to model routing.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README instructs users to place an API key into an environment variable or persistent OpenClaw configuration without any warning about credential sensitivity, least-privilege handling, shell history exposure, or risks of committing config files. This can lead to accidental leakage of the OpenRouter key through screenshots, shared configs, logs, backups, or version control, especially for less experienced users following copy-paste setup steps.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The invocation guidance uses broad phrases like mentions of free AI, model switching, rate limits, or reducing AI costs, which can match many ordinary conversations. Overbroad triggers make accidental activation more likely, causing unsolicited config edits, restarts, network calls, or installation steps in contexts where the user did not clearly request this skill.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The script directly rewrites the user's OpenClaw configuration and can change the active primary model and fallback chain without any confirmation, backup, or dry-run step. In an agent skill context, silent configuration mutation is more dangerous because invocation may be indirect and users may not realize persistent settings were altered.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill exposes multiple short, generic command triggers like "list", "switch", "auto", and "status" without any namespace or invocation scoping. In an agent ecosystem, overly broad triggers can cause accidental activation, command collision with other skills, or unintended execution in unrelated contexts, which is especially risky for a skill that modifies OpenClaw configuration and model selection behavior.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The watcher rewrites the user's OpenClaw configuration automatically during normal operation, including primary model and fallback settings, without an interactive confirmation step or a dry-run mode. In a background daemon or cron context, this can silently change runtime behavior, break expected model policy, and reduce user control over a security-relevant configuration file.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal