v1.0.1

Model Setup

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:11 AM.

Analysis

The skill is mostly aligned with model setup, but it handles API keys and persistently changes OpenClaw agent model configuration in ways that deserve review before use.

GuidanceReview this skill before installing. Use it only if you are comfortable giving it model-provider API keys and allowing it to edit OpenClaw model and agent config files. Verify the Base URL, avoid exposing real keys in command-line arguments when possible, and manually back up any affected models.json and config.json files before changing defaults.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Cascading Failures

SeverityMediumConfidenceHighStatusConcern

scripts/add_model.py

default_config["model"] = f"{provider_id}/{model_config['id']}" ... agent_config["model"] = f"{provider_id}/{model_config['id']}" ... temp_path.replace(agent_config_path)

The script can persistently change the default model for the main config and for a user-supplied agent path, so one bad provider/model configuration can affect future agent sessions beyond the immediate setup task.

User impactA wrong, untrusted, or costly model could become the default for future OpenClaw agent work.

RecommendationConfirm each target agent path and default-model change explicitly, restrict changes to intended OpenClaw config directories, and verify the provider/model before making it default.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

**始终备份**: 所有操作都会自动备份配置文件 ... **错误恢复**: 如果操作失败，自动从备份恢复

The documentation broadly promises automatic backup and recovery for all operations, but the included add_model.py only backs up the main config_path while also writing config.json and agent config.json without equivalent per-file backup.

User impactUsers may overestimate how reversible the default-model and agent-configuration changes are.

RecommendationManually back up models.json and any affected config.json files before use, and update the skill to back up and roll back every file it modifies.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

metadata

Required binaries (all must exist): none ... Primary credential: none ... Required config paths: none

The skill artifacts use python3 scripts, curl-based model testing, API keys, and OpenClaw config paths, so the registry metadata under-declares important operational requirements even though the behavior is purpose-aligned.

User impactInstallation checks may not warn the user that local commands, curl, API keys, and OpenClaw config-file access are needed.

RecommendationTreat the skill as requiring python3, curl, an API key, and access to the intended OpenClaw configuration files; metadata should be updated to declare these requirements.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusConcern

scripts/test_model.py

provider_config = json.loads(sys.argv[1]) ... api_key = provider_config.get("apiKey", "") ... "-H", f"Authorization: Bearer {api_key}"

The API key is supplied inside a command-line JSON argument and then used as a bearer credential for a network request. This is expected for provider testing, but raw keys in command arguments are high-impact credential handling, and the registry metadata declares no primary credential.

User impactIf the key is exposed through command logs, process listings, or a mistaken Base URL, someone else could use the user's model-provider account.

RecommendationUse only trusted Base URLs, avoid pasting production keys into command-line JSON where possible, prefer secure secret input or environment variables, and rotate any key that may have been exposed.