Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Auto Model Switch
v1.0.0自动切换模型 - 当模型token用完或限流时,自动切换到备用模型,并通知用户。支持配置多个备用模型,智能切换策略。
⭐ 1· 83·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code implements automatic model switching and gateway integration matching the description. However, the package declares only Node as required while the repo also includes Python implementations and tests (auto_model_switch.py, test.py), which is inconsistent with the declared requirements and increases surface area.
Instruction Scope
SKILL.md and the code expect OPENCLAW_GATEWAY_URL and OPENCLAW_GATEWAY_TOKEN to be set and the scripts will call /api/status and POST /api/config/model on that gateway. The registry metadata lists no required env vars even though runtime behavior depends on those environment variables and will send requests to the provided gateway URL with the token.
Install Mechanism
There is no install spec (instruction-only), so nothing will be forced onto disk by the registry. The Node dependency (js-yaml) is standard, but the package-lock references registry.npmmirror.com (a mirror) rather than the default npm registry — this is not necessarily malicious but you should be aware of the alternate registry source.
Credentials
The skill requires (and documents) OPENCLAW_GATEWAY_URL and OPENCLAW_GATEWAY_TOKEN to perform model switches. Those are powerful credentials because the skill will attempt to change gateway configuration; yet the metadata declares no required credentials. Requesting a gateway token is proportionate to the claimed purpose, but the omission from the declared requirements is an inconsistency and the token must be trusted (it will be sent to the gateway URL).
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It writes state and history under its own state/ directory, which is expected for this functionality.
What to consider before installing
This skill appears to implement the advertised auto-switching behavior, but review the following before installing: 1) The code uses OPENCLAW_GATEWAY_URL and OPENCLAW_GATEWAY_TOKEN to call your gateway and change model config — only provide a token with minimal required scope and verify you trust the gateway endpoint. 2) The package metadata did not declare these required env vars and lists only Node, yet Python scripts are included; if you don't use the Python parts they can be ignored or removed, but their presence is an inconsistency. 3) package-lock points to a non-default npm mirror (npmmirror.com); if you prefer, run npm install with your controlled registry or audit the downloaded packages. 4) Inspect the code (auto_model_switch.js) and test it in a sandboxed environment before giving it access to production credentials. If anything is unclear, ask the author to: (a) declare the gateway env vars in the metadata, (b) remove unused language artifacts or document why Python is included, and (c) confirm the minimal scope required of the gateway token.Like a lobster shell, security has layers — review code before you run it.
latestvk974xecaxe38zme30cfzxdb3r983k45z
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔄 Clawdis
OSLinux · macOS · Windows
Binsnode