Updating OpenRouter Free Models

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims, but its test/update workflow can use sensitive local tokens, change live Claude/OpenClaw configuration, and restart OpenClaw with limited confirmation.

Install only if you are comfortable with scripts that make authenticated OpenRouter API calls, edit your Claude/OpenClaw model configuration, and potentially restart OpenClaw. Before running it, back up ~/.claude/settings.json and ~/.openclaw/openclaw.json, use a dedicated OPENROUTER_API_KEY, unset ANTHROPIC_AUTH_TOKEN unless you intentionally want it used for OpenRouter, and treat complete_test.sh as a live configuration-changing command rather than a dry-run test.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (8)

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The documentation explicitly instructs users to apply configuration updates to `~/.openclaw/openclaw.json` and restart the OpenClaw service, but it does not warn that this modifies live runtime configuration and can interrupt service. In an agent-skill context, users may run these steps verbatim, causing avoidable downtime or broken configuration if the generated JSON is incorrect.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: Presenting `./complete_test.sh` as a one-command test without clearly stating that it may fetch models, alter configuration, and restart services is dangerous because it obscures side effects behind a seemingly safe test command. Users commonly interpret 'test' commands as non-destructive, so this can lead to unintended configuration changes and service disruption.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README includes copy-pastable prompts that instruct an agent to create directories, copy files, change permissions, and execute local Python scripts. In an agent-skill context, omitting an explicit warning/confirmation boundary around filesystem modification and code execution is dangerous because users may paste these prompts into an agent that performs the actions automatically on unreviewed local files.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: This installation prompt explicitly tells the agent to copy files into the skill directory, set executable permissions, and run ./complete_test.sh, which is arbitrary local shell execution from the current directory. In a skill meant for AI-assisted installation, that creates a meaningful risk of unintended code execution and local state changes if the directory contents are malicious or have been tampered with.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The documented workflow directs users to update configuration files and restart the OpenClaw service, which can alter active application behavior and temporarily interrupt availability. Without a prominent warning about config mutation, service restart side effects, and backup/rollback expectations, an agent or user may apply disruptive changes in production-like environments without understanding the operational impact.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill provides concrete instructions and code to overwrite `~/.claude/settings.json` and `~/.openclaw/openclaw.json`, and even restart a local service, without an explicit warning that this changes persistent user settings. This is dangerous because users may unknowingly alter production behavior, break local tooling, or replace existing model/fallback settings in ways that are hard to recover from.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script executes `node apply_updates_openclaw.js` as part of a 'test' flow, which can modify user configuration files without an explicit prompt, backup, or warning at the point of execution. In a skill intended for updating local model configuration, this side effect is contextually plausible, but it is still dangerous because users may run the script expecting validation rather than persistent changes to `~/.claude/settings.json` or `~/.openclaw/openclaw.json`.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script automatically loads a bearer token and sends it to an external service without any explicit user confirmation or warning at the point of use. In a skill context, this is risky because users may run the tool expecting model testing behavior without realizing it will transmit locally sourced credentials to a third-party endpoint.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal