← Back to Skills Marketplace
Openclaw Router
by
pepsiboy87
· GitHub ↗
· v0.1.0
436
Downloads
0
Stars
2
Active Installs
1
Versions
Install in OpenClaw
/install openclaw-router
Description
Intelligent Model Routing - Save 60% on AI Costs / 智能路由系统 - 节省 60% 成本
Usage Guidance
This package appears to implement an intelligent model router and includes source code; that is coherent with its description. However the docs and source reference many cloud-provider credentials and a home config file while the declared SKILL.md metadata lists no required environment variables. Before installing or enabling: 1) Inspect the Python source (src/) for where it reads environment variables and what it sends over the network; 2) If you must run it, use dedicated, limited-scope API keys (not high-privilege AWS root keys) or run in an isolated environment; 3) Consider running the code locally without enabling automatic network access or running install/test scripts until you audit them; 4) If you plan to supply cloud credentials, prefer service accounts with minimal scopes and rotate keys after testing; 5) If unsure, request the maintainer clarify declared env vars and exact endpoints called (and prefer skills whose SKILL.md lists required credentials).
Capability Analysis
Type: OpenClaw Skill
Name: openclaw-router
Version: 0.1.0
The skill is classified as suspicious due to a significant path traversal vulnerability in `src/process_image.py`. This vulnerability allows the skill to read arbitrary files from the system (e.g., `../../../../etc/passwd`) if a malicious path is provided as the `image_path` argument. The content of such files would then be base64 encoded and sent to a third-party cloud AI provider (e.g., Anthropic, OpenAI, or Alibaba Cloud) for 'analysis', posing a severe data exfiltration risk. While the code's stated purpose is image processing, the lack of input sanitization for `image_path` makes it exploitable for unintended file access and exfiltration. Additionally, `test_bugs.sh` uses `eval` with hardcoded strings, which is a risky pattern, though not directly malicious in this testing context.
Capability Assessment
Purpose & Capability
The skill's name, description, and code files are coherent with an intelligent model routing tool that can prefer local models and call cloud providers. However the SKILL.md metadata declares no required environment variables while other docs and code reference provider API keys and credential paths — this mismatch reduces transparency about what the skill will access.
Instruction Scope
Runtime instructions are mostly limited to install/config/enable and reference a user config at ~/.openclaw/router_config.yaml. But multiple documentation files (GLOBALIZATION.md and others) and likely the code auto-detection logic indicate the skill will read environment variables and service credentials (OpenAI, Anthropic, Alibaba, AWS, Azure, Google) and a Google credentials path. The SKILL.md does not declare these reads, so the agent may access secrets/config outside the declared scope.
Install Mechanism
There is no external download/install spec in SKILL.md (instruction-only). The repository includes scripts and Python source files; nothing in the provided metadata attempts to pull code from an unknown URL or run an external extractor. Risk from installation is low if you only use the packaged code, but scripts like run_tests.sh/test_bugs.sh exist and would execute code if run.
Credentials
The skill's functionality (calling cloud LLM providers) reasonably requires provider API keys. However the skill declares no required environment variables in its metadata while numerous docs and source filenames imply it will auto-detect and use environment credentials (OPENAI_API_KEY, ANTHROPIC_API_KEY, DASHSCOPE_API_KEY, AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY, AZURE_*, GOOGLE_APPLICATION_CREDENTIALS, etc.). Requesting or reading broad platform credentials without declaring them is disproportionate from a transparency and least-privilege perspective.
Persistence & Privilege
The skill is not marked always:true and does not claim to modify other skills or system-wide settings. It writes/reads a config file in the user's home (~/.openclaw/router_config.yaml), which is reasonable for a router/config wizard. No elevated platform privileges are requested in metadata.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install openclaw-router - After installation, invoke the skill by name or use
/openclaw-router - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.0
- Initial release of the openclaw-router skill.
- Provides intelligent model routing to optimize AI costs, with up to 60% savings.
- Supports both local and cloud models, multi-region, and multilingual (English, Chinese).
- Features include automatic model selection, token and cost tracking, user preference learning, and budget management.
- Offers a free tier (1000 requests/month) and paid plans with unlimited requests and additional features.
- Includes clear setup instructions, configuration examples, and comprehensive documentation.
Metadata
Frequently Asked Questions
What is Openclaw Router?
Intelligent Model Routing - Save 60% on AI Costs / 智能路由系统 - 节省 60% 成本. It is an AI Agent Skill for Claude Code / OpenClaw, with 436 downloads so far.
How do I install Openclaw Router?
Run "/install openclaw-router" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Openclaw Router free?
Yes, Openclaw Router is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Openclaw Router support?
Openclaw Router is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Openclaw Router?
It is built and maintained by pepsiboy87 (@pepsiboy87); the current version is v0.1.0.
More Skills