Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
model_manager
v1.0.1OpenClaw 模型管理工具。用于查看、设置和管理 OpenClaw 使用的大语言模型。 当用户提到以下场景时使用:切换模型、查看可用模型、设置备用模型、管理模型降级。 重要:此 skill 必须在获得用户明确指示后才能使用。
⭐ 0· 70·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name and description align with functionality: listing/setting models and managing fallbacks. However, the implementation calls a hardcoded macOS app script (/Applications/QClaw.app/.../openclaw-mac.sh) while the SKILL.md instructs running a workspace-local script path (~/.qclaw/workspace/skills/...). The skill claims to save changes to ~/.qclaw/agents/main/agent/models.json and ~/.qclaw/openclaw.json which is consistent with a model manager, but the hardcoded macOS wrapper makes the skill platform-specific despite no OS restriction.
Instruction Scope
SKILL.md states queries are safe and modifications require explicit user authorization, but the provided Python script performs modifications whenever invoked and does not itself enforce or prompt for user confirmation. The script also contains a bug/inconsistency for the documented 'fallback list' command (the code expects argv[1]=='fallback list' which is inconsistent with typical argv parsing and the documentation). These mismatches mean the runtime behavior may not respect the described safeguards.
Install Mechanism
No install spec or external downloads; the skill is instruction-only plus a local Python script, so there is no package-fetch or remote installer risk.
Credentials
The skill requests no environment variables or external credentials, which is proportional to its stated local-management purpose. Note: the script uses subprocess.run with shell=True and directly interpolates model IDs into shell commands, creating a command-injection risk if untrusted input is passed.
Persistence & Privilege
always is false (good), but disable-model-invocation is false so the agent may invoke the skill autonomously. Combined with the script not enforcing the described 'explicit user authorization' for modification commands and the shell-injection vulnerability, autonomous invocation increases risk. The skill does write through OpenClaw's CLI to local config files (models.json and openclaw.json) which is expected but privileged.
What to consider before installing
This skill aims to manage local OpenClaw models and is plausible, but there are several issues you should address before installing or using it unattended: 1) Platform mismatch — the script calls a macOS-specific path (/Applications/QClaw.app/...) despite no OS restriction; don't install if you aren't on that platform or if that path is absent. 2) Authorization mismatch — SKILL.md says modifications require explicit user permission but the script will perform changes when invoked; ensure the runtime enforces confirmations or only run on explicit user commands. 3) Command injection — model IDs are interpolated into shell commands with shell=True; if the skill receives untrusted input this could execute arbitrary shell commands. 4) Functional bug — the documented 'fallback list' command is not implemented consistently with argv parsing. Recommended actions: review and patch the script (avoid shell=True, sanitize inputs, fix the fallback-list handling, remove hardcoded macOS paths or add platform checks), restrict autonomous invocation until fixes are applied, and test in a safe environment. If you cannot inspect and/or fix the code, treat the skill as risky and do not grant it autonomous execution rights.Like a lobster shell, security has layers — review code before you run it.
latestvk972bxrm4yn0j39v6e6ssbk5nn83nr64
License
MIT-0
Free to use, modify, and redistribute. No attribution required.