Back to skill

Security audit

Openclaw Model Switch

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it changes local OpenClaw model settings, can store API keys locally, and restarts the OpenClaw gateway.

Install only if you want a skill that can edit ~/.openclaw/openclaw.json, store provider API keys there in plaintext, create backups, and restart the OpenClaw gateway. Back up the config first, restrict its permissions such as chmod 600, avoid committing it to Git, and verify the active model after switching.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill documentation clearly describes capabilities to read and write ~/.openclaw/openclaw.json and invoke shell commands such as restarting the gateway, yet no explicit permissions are declared. This creates a transparency and governance gap: users and the platform may not be able to enforce least privilege or make an informed trust decision before installation.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This script solicits an API key and writes it into the user's persistent OpenClaw configuration, which is a sensitive credential-handling action not obvious from a 'guide' script name. Persisting secrets without explicit security controls, permission hardening, or clear disclosure can expose credentials to other local users, backups, or later unintended processing.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger phrase '切换模型' is broad and could be invoked during ordinary conversation about models rather than as an intentional request to modify local configuration. In this skill's context, accidental activation is more dangerous because the described behavior includes editing config files and restarting the gateway, which are state-changing operations.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The phrase '新增模型' is similarly ambiguous and may overlap with normal discussion, brainstorming, or documentation requests about adding a model. Because this workflow can collect API keys, persist them to disk, and alter runtime configuration, unintended triggering could expose secrets or cause unauthorized configuration changes.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script modifies both models.json and the user's ~/.openclaw/openclaw.json, then restarts the gateway immediately without any confirmation, dry-run mode, or explicit safety prompt. In an agent-skill context where actions may be triggered from natural language, this increases the risk of unintended configuration changes and service disruption from accidental or ambiguous requests.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.