Free Ride Xiaoshu

Security checks across malware telemetry and agentic risk

Overview

FreeRide is a disclosed OpenClaw/OpenRouter model-management skill, but it can change your default model routing and should be used deliberately.

Install only if you want this skill to manage your OpenClaw default and fallback models. Back up ~/.openclaw/openclaw.json first, avoid printing or pasting your OpenRouter key, and run freeride-watcher --daemon only if you want ongoing network health checks and automatic model rotation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill instructs use of environment variables, reads and writes OpenClaw configuration, and relies on network access to OpenRouter, yet no permissions are declared. This weakens review and consent boundaries because a user or host system cannot clearly see that the skill can modify local config, access secrets, and contact external services.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 92% confidence
Finding: The documented purpose focuses on configuring free models, but the behavior includes a watcher/daemon, live health-check requests, automatic model rotation, and separate persistent state. That mismatch is security-relevant because operators may approve a simple config helper while unknowingly deploying a continuously running process that makes network calls and changes configuration over time.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README encourages running an automation command that changes OpenClaw model configuration and later documents automatic rotation, but it does not prominently warn users that agent behavior will be modified and may change during active use. In an agent skill context, silent or under-emphasized reconfiguration can affect reliability, outputs, and incident response because users may not realize their model/provider changed.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The README instructs users to place an OpenRouter API key in an environment variable or application config without warning about secret handling, storage location, or exposure risks. In a tool that edits local config and integrates with other services, insufficient credential-handling guidance increases the chance that secrets are committed to disk insecurely, leaked through shell history, logs, backups, or shared configuration.

Vague Triggers

Medium

Confidence: 76% confidence
Finding: The trigger phrases are broad enough to match common conversation about AI costs, model switching, or rate limits, increasing the chance the skill is invoked when the user did not intend a configuration-changing workflow. Because the skill can alter config and restart services, overbroad activation raises the risk of unintended system changes.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The instructions direct the agent to modify ~/.openclaw/openclaw.json and restart the OpenClaw gateway without an explicit warning or confirmation. These are state-changing and service-impacting operations; if performed automatically, they can disrupt active sessions, alter model routing, and overwrite user expectations about local configuration.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The skill overwrites the user's OpenClaw configuration file directly without confirmation, backup, locking, or atomic write protections. This can unexpectedly alter model/auth settings or corrupt configuration if interrupted, which is especially relevant because the tool manages persistent agent behavior.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The watcher automatically rewrites the user's OpenClaw configuration when it decides a model should rotate, without an interactive confirmation or an explicit opt-in at the moment of change. In a tool that can run as a daemon or cron job, silent config mutation can unexpectedly alter model selection, fallback behavior, and downstream billing/behavior, making it a genuine security-relevant integrity issue even if the feature is intentional.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal