by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This package appears to implement the stated feature (parallel calls and merge) but the documentation and code are inconsistent and incomplete. Before installing or using it with real API keys:
- Run it in a sandbox without any provider credentials to verify behavior (the current code simulates API calls).
- Inspect future versions for added network requests — the file already lists many provider endpoints, and a later change could start making real HTTP calls.
- Don't hand over API keys until ...详细分析 ▾
ℹ 用途与能力
The name/description line up with the code: model_router implements parallel invocation and merging. It requires only python3 which is proportionate. However, the code contains a mapping of real provider endpoints (OpenAI, Anthropic, Google, Baidu, Ali, etc.) even though the implementation currently simulates calls. That mapping is plausible for the stated purpose but suggests the skill is intended to call external APIs once implemented.
⚠ 指令范围
SKILL.md instructs use of a 'Router' class in examples ('from model_router import Router') but the module actually exposes ModelRouter and route(); this mismatch is likely to confuse users. The README examples also reference some model names (e.g., 'cursor', 'windsurf', 'codeium') not present in the LLM enum or endpoint map. The SKILL.md does not instruct the agent or user to provide API keys or where to put them, yet the ModelRouter constructor accepts an api_keys dict — incomplete instructions could lead to accidental misuse or surprise network calls if the module is extended.
✓ 安装机制
This is an instruction-only skill with a bundled Python file; there is no install spec that downloads remote archives or executes installers. SKILL.md suggests installing via 'npx clawhub install model-router-waai' (external tooling) but there is no automatic installer embedded in the package. No high-risk download URLs or extract operations are present.
ℹ 凭证需求
The skill declares no required environment variables or credentials, which matches the shipped code (the code simulates calls and does not read env vars). However, given the presence of real API endpoint mappings and the ModelRouter.api_keys parameter, in real use the skill will need provider API keys; SKILL.md gives no guidance about which credentials to supply or how. This lack of documented credential handling is a usability/security concern (users may accidentally provide keys in insecure ways).
✓ 持久化与权限
The skill does not request always:true, does not modify system-wide settings, and does not claim to persist credentials or change other skills' configurations. It runs as a simple module and a small CLI demo; no elevated privileges are requested.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.1.02026/3/16
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install model-router-waai
镜像加速npx clawhub@latest install model-router-waai --registry https://cn.longxiaskill.com镜像同步中