ClawHub

Openrouter Model Picker

Security checks across malware telemetry and agentic risk

Overview

The skill does what it says, but it opens an unauthenticated local apply endpoint that can persistently change OpenClaw model configuration while it is running.

Install only if you trust the publisher and are comfortable with a temporary localhost service that can change your OpenClaw model configuration. Avoid leaving the picker open while browsing untrusted pages, review the selected enabled models before applying, and prefer a version that adds a per-session token, origin checks, and server-side model allowlist validation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
}
        }

        result = subprocess.run(
            ['openclaw', 'config', 'patch', '--stdin'],
            input=json.dumps(patch), capture_output=True, text=True
        )
Confidence
95% confidence
Finding
result = subprocess.run( ['openclaw', 'config', 'patch', '--stdin'], input=json.dumps(patch), capture_output=True, text=True )

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases include broad everyday expressions such as “换模型”, “管理模型”, and “换个模型”, which can easily match normal conversation and invoke a skill that fetches remote data and can modify configuration. In this context, accidental activation is more dangerous than usual because the workflow can lead to local config updates and page refreshes.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The description emphasizes convenience but does not clearly warn that the skill writes local files, launches a local service, patches OpenClaw configuration, and automatically refreshes the page after apply. That lack of disclosure can mislead users into invoking a state-changing skill without understanding the consequences, increasing the chance of unsafe or unintended system changes.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
POST /apply performs destructive configuration changes with no authentication, authorization, CSRF protection, or origin restriction, while CORS is set to '*'. In the skill context, this is more dangerous because the server is explicitly intended to hot-update runtime model configuration; any local malicious process or browser page can silently reconfigure the agent, disable models, or force attacker-chosen fallbacks.

Unvalidated Output Injection

High
Category
Output Handling
Content
def patch_config(patch_obj):
    patch_json = json.dumps(patch_obj)
    result = subprocess.run(
        ["openclaw", "config", "patch", "--stdin"],
        input=patch_json,
        capture_output=True,
Confidence
84% confidence
Finding
subprocess.run( ["openclaw", "config", "patch", "--stdin"], input=patch_json, capture_output

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal