Skillv1.0.0

ClawScan security

Updating OpenRouter Free Models · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 15, 2026, 6:13 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions do what its description says (fetch, test, and write OpenRouter model lists), but there are mismatches and potentially risky actions (undeclared credential use, writes to user config files, and service restart scripts) that warrant caution before installing.
Guidance: This package appears to implement exactly what it claims (fetching/testing OpenRouter free models and updating Claude/OpenClaw config), but take these precautions before installing or letting an agent run it automatically: - Metadata vs runtime mismatch: The registry lists no required environment variables, but test_models.py expects ANTHROPIC_AUTH_TOKEN or OPENROUTER_API_KEY (or will read an apiKey from ~/.openclaw/openclaw.json). Do not assume it will work without providing a token; also be aware it may read stored tokens from your OpenClaw config. - Inspect code before running: Review fetch_models.py, test_models.py, apply_updates.py / apply_updates_openclaw.js, and restart_openclaw.sh. They will overwrite ~/.claude/settings.json and ~/.openclaw/openclaw.json and may kill/restart processes (pkill / launchctl / nohup). Confirm the JSON updates match your desired config structure. - Backup configs: Make backups of ~/.claude/settings.json and ~/.openclaw/openclaw.json before running apply/update steps so you can restore if something is wrong. - Prefer manual/apply-review workflow: Run python3 fetch_models.py and python3 test_models.py to produce /tmp/verified_models.txt, inspect that file, and only then run the updater scripts manually. Avoid giving an autonomous agent the instruction in README that copies and executes these files without human confirmation. - Secrets handling: Prefer setting environment variables for API tokens (OPENROUTER_API_KEY) for testing rather than relying on stored tokens in other config files. Check whether openclaw.json contains sensitive apiKey entries you don't want scripts to read or modify. - Test in a safe environment first: Run the complete_test.sh in a container or a throwaway user account to observe behavior (it will try to update and validate configs and call node/openclaw). Confirm restart behavior is acceptable for your system. - Provenance: The skill's 'Source' and 'Homepage' are unknown. If you require stronger trust guarantees, request the author/source, or prefer using officially maintained tooling or a vetted plugin. If you want, I can list the exact lines in each file that read/write configs, call external endpoints, or restart services so you can review them quickly.

Review Dimensions

Purpose & Capability: noteThe name/description match the included code: scripts fetch models from openrouter.ai, test them, and update Claude and OpenClaw configs. However the registry metadata declares no required environment variables while the runtime scripts clearly expect authentication tokens (ANTHROPIC_AUTH_TOKEN or OPENROUTER_API_KEY or an apiKey inside ~/.openclaw/openclaw.json). That metadata omission is an incoherence the user should notice.
Instruction Scope: concernSKILL.md and README instruct the agent/user to read and overwrite user config files (~/.claude/settings.json and ~/.openclaw/openclaw.json), read potential API keys from those files, write /tmp/verified_models.txt, and restart the OpenClaw gateway (pkill/launchctl/nohup). Those are within the stated purpose, but they are intrusive (modify persistent user configs and kill/start processes). The README also contains explicit prompts that encourage an AI to copy and install the skill files into user directories — that automation increases risk if run without review.
Install Mechanism: okThere is no external install/download step: all code is bundled in the skill. No archive downloads or remote installers are used. This reduces installation risk compared to fetching arbitrary binaries, but the included scripts themselves perform filesystem and process operations when run.
Credentials: concernThe runtime scripts require an API token (ANTHROPIC_AUTH_TOKEN or OPENROUTER_API_KEY) or will read an apiKey from ~/.openclaw/openclaw.json, yet the skill metadata lists no required env vars. Reading an existing OpenClaw config to extract an apiKey is reasonable for convenience but is also a capability to access stored credentials; this should have been declared. The scripts also write to user config files which is a privilege that should be proportionally justified and visible to users up front.
Persistence & Privilege: notealways:false and normal autonomous invocation are used (no 'always' flag). The skill modifies persistent user configuration files and offers a restart script that kills/starts processes (launchctl, pkill, nohup). This level of system interaction is consistent with the declared purpose (updating runtime configs) but increases the blast radius if run by an agent without human review.