← 返回 Skills 市场
Rotate OpenRouter Key
作者
Chunhua Liao
· GitHub ↗
· v1.0.0
605
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install rotate-openrouter-key
功能描述
Safely rotate the OpenRouter API key across all config files in an OpenClaw installation. Finds every location where the key is stored, updates them, restart...
安全使用建议
This skill appears to do exactly what it claims. Before running it: (1) Review the included script yourself (it's bundled and readable). (2) Run with --dry-run to see what would change, then --verify to ensure the new key is valid before writing. (3) Be aware the script creates timestamped backups and temporary files in the same directories; these backups will contain old API keys—delete or securely store them after rotation. (4) Do not paste secrets into public chat; provide the new key only through a secure channel and avoid long-term storage in chat logs. (5) If you manage remote hosts, the skill's SSH instructions require you to run the script there or copy it over; ensure SSH access is secure. (6) After successful rotation and verification, disable the old key at openrouter.ai. If you want extra assurance, run the script on a test system or inspect/modify it to upload backups to a secure vault rather than leaving them on disk.
功能分析
Type: OpenClaw Skill
Name: rotate-openrouter-key
Version: 1.0.0
The skill's stated purpose is benign, aiming to safely rotate OpenRouter API keys. The Python script `scripts/update-openrouter-key.py` is well-behaved, confining file operations to `~/.openclaw` and network calls to `openrouter.ai`. However, the `SKILL.md`, `README.md`, and `references/key-rotation-guide.md` files contain instructions for the AI agent that present critical prompt injection vulnerabilities. Specifically, shell commands involving user-provided input (e.g., `ssh <host> "..."`, `python3 scripts/update-openrouter-key.py --key "sk-or-v1-NEW-KEY"`, `python3 -c "...YOUR-NEW-KEY..."`, `curl ... YOUR-NEW-KEY`) are susceptible to arbitrary command execution if the AI agent does not rigorously sanitize or escape user input before constructing and executing these shell commands. This constitutes a significant remote code execution risk, classifying the skill as suspicious due to these vulnerabilities in its instructions.
能力评估
Purpose & Capability
The name/description (rotate OpenRouter key) align with the included SKILL.md and the helper script. The code searches ~/.openclaw (or OPENCLAW_DIR), updates .env and JSON provider apiKey fields, creates backups, and verifies via openrouter.ai—all consistent with the declared purpose. No unrelated credentials, binaries, or services are requested.
Instruction Scope
SKILL.md limits actions to finding/updating keys under ~/.openclaw, restarting the gateway, and optionally repeating via SSH on remote hosts. The instructions ask the user for the new key and recommend dry-run and verification steps. One minor operational note: the skill asks the user to provide the new key (sensitive secret) but does not mention safe handling/logging of that secret; the script prints key previews and creates backups that will contain secret material.
Install Mechanism
Instruction-only skill with an included Python script; no install spec or external downloads. Risk is limited to the script writing backups and temp files in-place (.bak.<timestamp>, .tmp) which will contain secrets. This is expected for the task but users should be aware backups hold old keys and remain on disk until removed.
Credentials
No required environment variables or credentials are declared; the script optionally reads OPENCLAW_DIR which is reasonable. The script contacts https://openrouter.ai to verify keys (expected). Potential concern: local backup and temp files will contain keys and the tool prints partial key previews; these are proportional but sensitive—users should ensure appropriate filesystem permissions and cleanup of backups.
Persistence & Privilege
Skill is user-invocable, always:false, and does not request permanent agent-level privileges or modify other skills. It performs disk writes only to OpenClaw config files and creates backups; gateway restart is an expected operational step. No suspicious elevation of privilege or persistence is requested.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install rotate-openrouter-key - 安装完成后,直接呼叫该 Skill 的名称或使用
/rotate-openrouter-key触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
v1.0.0: Initial release. Finds all key locations (.env + JSON), priority chain awareness, timestamped backups, API verification, dry-run mode.
元数据
常见问题
Rotate OpenRouter Key 是什么?
Safely rotate the OpenRouter API key across all config files in an OpenClaw installation. Finds every location where the key is stored, updates them, restart... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 605 次。
如何安装 Rotate OpenRouter Key?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install rotate-openrouter-key」即可一键安装,无需额外配置。
Rotate OpenRouter Key 是免费的吗?
是的,Rotate OpenRouter Key 完全免费(开源免费),可自由下载、安装和使用。
Rotate OpenRouter Key 支持哪些平台?
Rotate OpenRouter Key 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Rotate OpenRouter Key?
由 Chunhua Liao(@chunhualiao)开发并维护,当前版本 v1.0.0。
推荐 Skills