← 返回 Skills 市场

Openclaw Smart Router

Name: Openclaw Smart Router
Author: atlaspa

作者 AtlasPA · GitHub ↗ · v1.0.0

darwinlinuxwin32 ⚠ suspicious

1060

总下载

当前安装

版本数

在 OpenClaw 中安装

/install openclaw-smart-router

功能描述

Automatically routes AI requests to cost-optimal models based on task complexity and budget, saving 30-50% on model expenses with adaptive learning.

安全使用建议

What to check before installing: - Understand privacy: this skill intercepts every request (prompts, context, usage) and stores analysis/metrics locally. If you send sensitive prompts, review what the code stores and logs. - Review payment behavior: the skill advertises x402 agent payments and states agents can pay for Pro without human approval. Inspect src/x402.js (and any payment-handling code) to see how transactions are initiated and authorized. Confirm whether payments require user-held private keys, platform wallet signing, or external services. If unclear, disable or restrict payment features until you verify the flow. - Confirm dashboard/server exposure: the code depends on express and runs a dashboard (docs cite http://localhost:9093). Ensure it binds only to localhost or is otherwise firewalled if you don't want external access. - Review storage location and retention: the skill will create ~/.openclaw/openclaw-smart-router and a SQLite DB. Decide whether that is acceptable and audit what fields (token counts, selection reasons, any text excerpts) are persisted. - Test in a sandbox: run the skill in an isolated environment to see runtime network calls and what the skill logs/creates. Monitor outbound connections during 'subscribe' or x402 flows. - Consider limiting autonomy: if your platform allows it, disable autonomous agent payments or require explicit human approval for subscriptions. Also limit which agents are permitted to use this skill until you have confidence in payment authorization and data handling. Given the explicit autonomous payment capability and persistent hooks over all requests, exercise caution: the skill appears coherent with its stated routing purpose but the payment/financial automation and persistent data collection are notable risk vectors that should be reviewed and constrained if you proceed.

功能分析

Type: OpenClaw Skill Name: openclaw-smart-router Version: 1.0.0 The OpenClaw Smart Router skill is generally well-structured and uses prepared statements for database interactions, mitigating common SQL injection risks. However, it contains a critical vulnerability in its x402 payment verification mechanism within `src/x402.js`. The `verifyTransactionOnChain` function, intended for on-chain transaction validation, is currently a placeholder that accepts any `tx_hash` string longer than 32 characters as valid. This allows an attacker to bypass payment and gain unauthorized access to the 'Pro tier' features (unlimited routing decisions, advanced learning) by providing a fake transaction hash. This is a significant flaw that undermines the skill's business model and grants unearned privileges, classifying it as suspicious.

能力评估

ℹ Purpose & Capability

The code, docs, and hooks match the advertised purpose: analyzing request complexity, selecting models, learning patterns, and tracking costs. Required binary ('node') and npm dependencies (better-sqlite3, express, commander) are consistent with a local router + dashboard + DB. One mismatch: SKILL metadata declared no required config paths, but implementation intends to create and use a local DB and config under ~/.openclaw/openclaw-smart-router (documented in README/DATABASE-IMPLEMENTATION). This is not catastrophic but should be explicit.

⚠ Instruction Scope

SKILL.md and the hook files explicitly intercept every request (request-before hook), analyze prompt/context, and modify the model selection before calls — so the skill will see the content of all proxied prompts/contexts and provider usage data. That is coherent for a router, but the instructions also state 'Agent can autonomously pay via x402 without human approval' and provide CLI commands to subscribe and trigger payments. Allowing an agent to autonomously create/complete payment transactions increases operational and financial risk and expands the scope beyond mere routing/analytics.

✓ Install Mechanism

No external download URLs are used; code is packaged with package.json and standard npm dependencies. There is no install script that pulls arbitrary remote binaries. Installation is typical for a Node skill (npm + local setup). The skill will create local files (DB, config) and start an Express dashboard — these are expected but should be noted by operators.

⚠ Credentials

The skill declares no required environment variables or primary credential, which is consistent with the manifest, but it integrates x402 payments and references an agent wallet (agentWallet) for quotas/payments. The mechanism for actually signing/transmitting payments is not clear in the provided materials: no credential request is declared, so it likely relies on platform-level agent wallet capabilities. That design is plausible but raises proportionality questions: a routing utility enabling autonomous payments (even at a small recurring amount) should clearly document how payments are authorized, what external endpoints are contacted, and whether any private keys, service tokens, or webhooks are used. The DB and logs will store usage/payment metadata locally; the skill may also record token usage and selection history — acceptable for learning but privacy-sensitive.

ℹ Persistence & Privilege

always:false (not force-included) which is appropriate. The skill registers runtime hooks (request:before, provider:after, session:end) so it will be invoked for relevant lifecycle events — normal for this purpose. It persists state in a local SQLite DB and exposes an Express dashboard (default port referenced in docs). The combination of autonomous invocation + payment capability increases blast radius (agents could autonomously trigger recurring payments) — not forbidden, but this is a non-trivial privilege that users should explicitly authorize and audit.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install openclaw-smart-router
安装完成后，直接呼叫该 Skill 的名称或使用 /openclaw-smart-router 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release of OpenClaw Smart Router: automatic, intelligent model selection for cost savings. - Automatically routes API requests to optimal AI models based on task complexity and budget. - Saves 30–50% on model costs through live analysis and learning from your usage patterns. - Supports multiple providers (Anthropic, OpenAI, Google, etc.) and includes both free & pro tiers. - Learns from routing successes/failures for smarter future choices; includes cost tracking and analytics dashboard. - Local-first: All routing, pattern learning, and data storage occur on your device—no external servers.

元数据

Slug openclaw-smart-router

版本 1.0.0

许可证 —

累计安装 5

当前安装数 5

历史版本数 1

常见问题

Openclaw Smart Router 是什么？

Automatically routes AI requests to cost-optimal models based on task complexity and budget, saving 30-50% on model expenses with adaptive learning. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 1060 次。

如何安装 Openclaw Smart Router？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install openclaw-smart-router」即可一键安装，无需额外配置。

Openclaw Smart Router 是免费的吗？

是的，Openclaw Smart Router 完全免费（开源免费），可自由下载、安装和使用。

Openclaw Smart Router 支持哪些平台？

Openclaw Smart Router 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（darwin, linux, win32）。

谁开发了 Openclaw Smart Router？

由 AtlasPA（@atlaspa）开发并维护，当前版本 v1.0.0。