← Back to Skills Marketplace
Rotate OpenRouter Key
by
Chunhua Liao
· GitHub ↗
· v1.0.0
605
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install rotate-openrouter-key
Description
Safely rotate the OpenRouter API key across all config files in an OpenClaw installation. Finds every location where the key is stored, updates them, restart...
Usage Guidance
This skill appears to do exactly what it claims. Before running it: (1) Review the included script yourself (it's bundled and readable). (2) Run with --dry-run to see what would change, then --verify to ensure the new key is valid before writing. (3) Be aware the script creates timestamped backups and temporary files in the same directories; these backups will contain old API keys—delete or securely store them after rotation. (4) Do not paste secrets into public chat; provide the new key only through a secure channel and avoid long-term storage in chat logs. (5) If you manage remote hosts, the skill's SSH instructions require you to run the script there or copy it over; ensure SSH access is secure. (6) After successful rotation and verification, disable the old key at openrouter.ai. If you want extra assurance, run the script on a test system or inspect/modify it to upload backups to a secure vault rather than leaving them on disk.
Capability Analysis
Type: OpenClaw Skill
Name: rotate-openrouter-key
Version: 1.0.0
The skill's stated purpose is benign, aiming to safely rotate OpenRouter API keys. The Python script `scripts/update-openrouter-key.py` is well-behaved, confining file operations to `~/.openclaw` and network calls to `openrouter.ai`. However, the `SKILL.md`, `README.md`, and `references/key-rotation-guide.md` files contain instructions for the AI agent that present critical prompt injection vulnerabilities. Specifically, shell commands involving user-provided input (e.g., `ssh <host> "..."`, `python3 scripts/update-openrouter-key.py --key "sk-or-v1-NEW-KEY"`, `python3 -c "...YOUR-NEW-KEY..."`, `curl ... YOUR-NEW-KEY`) are susceptible to arbitrary command execution if the AI agent does not rigorously sanitize or escape user input before constructing and executing these shell commands. This constitutes a significant remote code execution risk, classifying the skill as suspicious due to these vulnerabilities in its instructions.
Capability Assessment
Purpose & Capability
The name/description (rotate OpenRouter key) align with the included SKILL.md and the helper script. The code searches ~/.openclaw (or OPENCLAW_DIR), updates .env and JSON provider apiKey fields, creates backups, and verifies via openrouter.ai—all consistent with the declared purpose. No unrelated credentials, binaries, or services are requested.
Instruction Scope
SKILL.md limits actions to finding/updating keys under ~/.openclaw, restarting the gateway, and optionally repeating via SSH on remote hosts. The instructions ask the user for the new key and recommend dry-run and verification steps. One minor operational note: the skill asks the user to provide the new key (sensitive secret) but does not mention safe handling/logging of that secret; the script prints key previews and creates backups that will contain secret material.
Install Mechanism
Instruction-only skill with an included Python script; no install spec or external downloads. Risk is limited to the script writing backups and temp files in-place (.bak.<timestamp>, .tmp) which will contain secrets. This is expected for the task but users should be aware backups hold old keys and remain on disk until removed.
Credentials
No required environment variables or credentials are declared; the script optionally reads OPENCLAW_DIR which is reasonable. The script contacts https://openrouter.ai to verify keys (expected). Potential concern: local backup and temp files will contain keys and the tool prints partial key previews; these are proportional but sensitive—users should ensure appropriate filesystem permissions and cleanup of backups.
Persistence & Privilege
Skill is user-invocable, always:false, and does not request permanent agent-level privileges or modify other skills. It performs disk writes only to OpenClaw config files and creates backups; gateway restart is an expected operational step. No suspicious elevation of privilege or persistence is requested.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install rotate-openrouter-key - After installation, invoke the skill by name or use
/rotate-openrouter-key - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
v1.0.0: Initial release. Finds all key locations (.env + JSON), priority chain awareness, timestamped backups, API verification, dry-run mode.
Metadata
Frequently Asked Questions
What is Rotate OpenRouter Key?
Safely rotate the OpenRouter API key across all config files in an OpenClaw installation. Finds every location where the key is stored, updates them, restart... It is an AI Agent Skill for Claude Code / OpenClaw, with 605 downloads so far.
How do I install Rotate OpenRouter Key?
Run "/install rotate-openrouter-key" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Rotate OpenRouter Key free?
Yes, Rotate OpenRouter Key is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Rotate OpenRouter Key support?
Rotate OpenRouter Key is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Rotate OpenRouter Key?
It is built and maintained by Chunhua Liao (@chunhualiao); the current version is v1.0.0.
More Skills