Discover and select free or low-cost AI models from OpenRouter optimized for agents with filtering by price, context, provider, and capabilities.
Security Analysis
medium confidenceThe skill mostly does what it claims (query OpenRouter for free/cheap models), but there are mismatches between declared requirements and the code/instructions (notably around the API key) that merit caution before installing.
The skill's name and description (discover cheap/free OpenRouter models) align with the provided code and SKILL.md. However the registry metadata lists no required environment variables or primary credential while both the SKILL.md and the script require OPENROUTER_API_KEY to run — an inconsistency between claimed requirements and actual runtime needs.
Runtime instructions explicitly instruct the user to set OPENROUTER_API_KEY and run the CLI; the script enforces presence of that env var. The script then performs network calls only to https://openrouter.ai/api/v1/models (expected). However the script checks for the API key but does not actually include it in the fetch request (no Authorization header), which is an odd inconsistency: the agent will demand a secret but not use it. That mismatch is suspicious and could be an accidental bug or an attempt to cause users to expose a key unnecessarily.
No install spec, no packages downloaded, no dependencies declared. The skill is instruction-plus-small JS script only, which is the lower-risk install pattern.
The only environment variable referenced at runtime is OPENROUTER_API_KEY. Requesting a single API key for OpenRouter is proportionate for this purpose — but the registry failed to declare any required env vars while the SKILL.md and script require the key. Additionally, the code demands the key but never uses it in the network request, meaning users would be prompted to expose a credential unnecessarily.
The skill does not request always:true, does not modify other skills or system-wide config, and has normal autonomous-invocation settings. It does not attempt to persist credentials or alter agent configuration beyond its own operation.
Guidance
This skill's behavior is generally aligned with its description (it fetches model listings from OpenRouter), but there are clear inconsistencies you should address before installing: - Do not paste a sensitive OpenRouter API key into your environment until you confirm why it's required. The script checks for OPENROUTER_API_KEY but the fetch() call does not send the key. That could be an accidental bug, or it could be misleading the user into exposing a secret unnecessarily. - Ask the publisher to either (a) declare OPENROUTER_API_KEY in the registry metadata and fix the code to send the key in an Authorization header if the API requires it, or (b) remove the key check if the endpoint is public. A corrected fetch should include the API key in a header like: { Authorization: `Bearer ${API_KEY}` } if needed. - Review the network behavior: the script only calls https://openrouter.ai/api/v1/models. Ensure you trust that domain and are comfortable with the agent making outbound requests to it. - Because this is an instruction-only skill with a small script, you can also run it locally in a sandbox first (without real credentials) to observe behavior. If you must test with a real key, create a limited/test API key or run in an isolated environment. Given the inconsistency (registry vs SKILL.md/script and the unused-but-required API key), treat this as suspicious until the developer clarifies and fixes the mismatch.
Latest Release
v1.0.0
No changes detected in this version.
More by @qidu
Published by @qidu on ClawHub
