Openclaw Cat
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You will need to place an LLM provider API key in the skill configuration, and that key will be sent to the configured model endpoint.
The code uses a user-provided API key to authenticate to the selected LLM provider. This is expected for the stated multi-model LLM purpose, but the key is sensitive and should be scoped to the intended provider.
"Authorization": f"Bearer {api_key}"Use a dedicated, low-privilege API key with spending limits, and only set `base_url` to an endpoint you trust.
Setup may require manual dependency installation and manual creation of `config.json` if the template is missing.
The documentation requires a manual Python dependency install and references a config template, while the supplied manifest does not include `config.json.example`. This is a packaging/setup completeness issue rather than evidence of malicious behavior.
pip install requests ... cp config.json.example config.json
Install dependencies from trusted package sources and verify the expected config fields before adding your API key.