Back to skill
Skillv1.0.0
ClawScan security
Openclaw Free Models · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 14, 2026, 11:59 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only guide that coherently explains how to configure free AI models and how to supply API keys; it does not request unexpected credentials or install anything on disk.
- Guidance
- This guide is generally coherent and intended to help you configure free models. Before following it: (1) verify the provider URLs (deepseek, open.bigmodel.cn, anthropic, openai) are legitimate and that you trust them; (2) never paste API keys into public places or into third-party chat messages; use the openclaw config mechanism only if you trust the OpenClaw agent and its storage; (3) be cautious about contacting the external person/channel (WeChat/Telegram) or paying for installation — that is outside the skill and may be a social/financial risk; (4) the examples reference an $API_KEY variable even though the skill metadata doesn't declare env vars — treat those as user-side examples, not something the skill will automatically read or exfiltrate.
Review Dimensions
- Purpose & Capability
- okThe skill's name/description (free model configuration) matches the content: step-by-step commands to set models and API keys for several providers. No unrelated binaries, services, or credentials are requested.
- Instruction Scope
- okSKILL.md is a how-to guide with example commands (openclaw config set ..., curl examples) and model recommendations. It does tell the user to set API keys and call provider APIs (expected for this purpose) but does not instruct the agent to read unrelated system files or exfiltrate data.
- Install Mechanism
- okThere is no install spec and no code files; the skill is instruction-only, so nothing is written to disk or downloaded during installation.
- Credentials
- noteThe guide shows using API keys and an environment-style variable ($API_KEY) in examples but the skill metadata does not declare any required env vars — this is a documentation/example inconsistency rather than a hidden request for secrets. Requiring users to add provider API keys to their OpenClaw config is expected for configuring remote models.
- Persistence & Privilege
- okalways is false and the skill is user-invocable. There is no request to modify other skills or system-wide settings; recommending storing API keys in the OpenClaw config is normal for this kind of guide.