Model Setup
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its stated model-configuration purpose, but it handles API keys and can persistently rewrite OpenClaw agent model settings with hard-coded paths and incomplete rollback protection.
Install only if you are comfortable giving it model provider API keys and allowing it to edit OpenClaw model and agent configuration files. Before use, verify the paths are yours, avoid the hard-coded /home/yupeng path unless it is correct, and make your own backups of models.json and any config.json files it may change.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your model provider API key will be provided to the skill and saved into the local model configuration.
The skill explicitly collects provider API keys and uses them to configure and test model access. This is expected for the stated purpose, but users should notice that the registry metadata says there is no primary credential.
- **API Key**: API 密钥(格式通常为 `key_id:secret`)
Use only trusted provider base URLs, avoid sharing transcripts containing the key, and prefer a version that declares credential use clearly in metadata.
Testing a model will make an outbound API request using curl and the supplied API key.
The model test runs an external curl process to call the configured API endpoint. This is purpose-aligned, but it is not reflected in the declared required binaries.
output = subprocess.check_output(curl_cmd, stderr=subprocess.PIPE, text=True)
Confirm curl is expected and available, and only test against provider endpoints you trust.
If run with the wrong path, the skill could change the model used by an unintended agent or configuration file.
The script can persistently change an agent's configured model based on a provided agent_path, but it does not constrain that path to the current user's OpenClaw agent directory.
agent_config_path = Path(agent_path) / "agent" / "config.json"
...
agent_config["model"] = f"{provider_id}/{model_config['id']}"
...
temp_path.replace(agent_config_path)Manually verify every config_path and agent_path before running, and prefer an implementation that restricts writes to the current user's expected .openclaw directory.
A user may rely on rollback protection that does not cover every file the skill can modify.
The documentation claims all operations automatically back up configuration files, but the code backs up the main models config only; default config.json and per-agent config.json writes are not separately backed up.
所有操作都会自动备份配置文件以确保安全
Back up models.json and every affected config.json yourself before using --default or --agent, or update the skill to back up and restore all modified files.