Openclaw Cat
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears to be a simple cat-roleplay LLM helper, with disclosed use of a local config file, an API key, and a small local cache.
Before installing, be comfortable storing an LLM API key in `config.json`, use a trusted model endpoint, and install `requests` from a trusted source. The disclosed local cache only stores generated cat persona attributes.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You will need to place an LLM provider API key in the skill configuration, and that key will be sent to the configured model endpoint.
The code uses a user-provided API key to authenticate to the selected LLM provider. This is expected for the stated multi-model LLM purpose, but the key is sensitive and should be scoped to the intended provider.
"Authorization": f"Bearer {api_key}"Use a dedicated, low-privilege API key with spending limits, and only set `base_url` to an endpoint you trust.
Setup may require manual dependency installation and manual creation of `config.json` if the template is missing.
The documentation requires a manual Python dependency install and references a config template, while the supplied manifest does not include `config.json.example`. This is a packaging/setup completeness issue rather than evidence of malicious behavior.
pip install requests ... cp config.json.example config.json
Install dependencies from trusted package sources and verify the expected config fields before adding your API key.