← Back to Skills Marketplace
75
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install provider-probe
Description
Probe and verify whether an OpenAI-compatible baseURL is a real single-model endpoint or a multi-model aggregation pool. Use when auditing model providers, c...
Usage Guidance
This skill is plausibly what it says (a probe for OpenAI-compatible endpoints) but it instructs the agent to read provider configuration files and to use API keys while not declaring any required config paths or credentials. Before installing or running: (1) inspect the bundled script locally (it is included) and run it yourself in a controlled environment rather than giving the agent broad permission to run it autonomously; (2) do not let the agent read system-wide config files you care about — pass only a minimal, sanitized config or explicit baseURL+apiKey for the provider you want tested; (3) be aware the script will send any API key you supply to whatever base_url you target (that is the intended behavior but is also how keys could be leaked); (4) prefer manual invocation or run inside an isolated container/VM and avoid giving the agent access to your main OpenClaw or cloud provider configs. If the publisher can clarify which config path(s) are needed and declare them (or require explicit user confirmation before reading any files), the inconsistency would be addressed.
Capability Analysis
Type: OpenClaw Skill
Name: provider-probe
Version: 1.0.0
The provider-probe skill is designed to audit LLM providers for authenticity, but it contains high-risk capabilities. The script scripts/provider_probe.py reads a local configuration file (/root/.openclaw/openclaw.json) containing sensitive API keys and transmits them to external endpoints specified in the config or via command-line arguments. While these actions are aligned with the stated purpose of probing providers, the script lacks input validation for the configuration file path and uses a hardcoded browser User-Agent to potentially bypass bot detection. No clear evidence of intentional malice or unauthorized data exfiltration was found, but the handling of secrets and arbitrary network access qualifies as suspicious under the provided criteria.
Capability Assessment
Purpose & Capability
The name/description (probing OpenAI-compatible baseURLs for aggregation vs single-model routes) aligns with the included probe script and checklist. However, SKILL.md explicitly tells the agent to "Read provider config or ask for baseURL + apiKey", yet the registry metadata declares no required config paths or environment credentials — a mismatch between claimed needs and declared requirements.
Instruction Scope
SKILL.md and the bundled script instruct the agent to read provider configuration (examples show /root/.openclaw/openclaw.json) or accept baseURL+apiKey input, then make HTTP calls to /models, /responses and /chat/completions. Those instructions permit reading local JSON config files and transmitting API keys to arbitrary endpoints supplied to the tool. The skill does not declare or restrict which config paths may be accessed, increasing the chance the agent could read and transmit unrelated sensitive configuration if used carelessly.
Install Mechanism
Instruction-only skill with a bundled Python script; no install spec, no network download/install step. Low risk from installation mechanism itself.
Credentials
The code expects API keys either via a CLI --api-key argument or inside a JSON config (cfg['models']['providers'][name]['apiKey']). Yet the skill declares no required env vars or config paths and lists no primary credential. That under-declaration is inconsistent and important: in practice this skill needs sensitive API keys to operate, and if the agent follows the instruction to "read provider config" it may access and transmit those keys to external baseURLs.
Persistence & Privilege
always is false and the skill does not request persistent presence or system-level modifications. The normal default of allowing autonomous invocation applies; this alone is not a flag, but combined with the instruction to read configs and handle API keys it increases potential blast radius if the agent is allowed to run the skill autonomously.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install provider-probe - After installation, invoke the skill by name or use
/provider-probe - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: probe OpenAI-compatible providers for mixed model pools, endpoint compatibility, stability, and trust judgment.
Metadata
Frequently Asked Questions
What is Provider Probe?
Probe and verify whether an OpenAI-compatible baseURL is a real single-model endpoint or a multi-model aggregation pool. Use when auditing model providers, c... It is an AI Agent Skill for Claude Code / OpenClaw, with 75 downloads so far.
How do I install Provider Probe?
Run "/install provider-probe" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Provider Probe free?
Yes, Provider Probe is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Provider Probe support?
Provider Probe is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Provider Probe?
It is built and maintained by Andy Ren (@andyrenxu7255); the current version is v1.0.0.
More Skills