Discover, filter, and select free or low-cost AI models from OpenRouter for OpenClaw and other agent workflows based on context, price, and capabilities.
Security Analysis
medium confidenceThe skill's purpose (discovering OpenRouter models) is plausible and mostly coherent, but there are manifest/instruction mismatches — notably the registry says no env vars while SKILL.md and the CLI require OPENROUTER_API_KEY, and the runtime code checks for that key but never uses it when calling the API — these inconsistencies warrant caution.
The skill claims to discover free/cheap models from OpenRouter and the code indeed queries OpenRouter's models endpoint and filters results — this matches the stated purpose. However, registry metadata declares no required environment variables or primary credential while SKILL.md and the code require an OPENROUTER_API_KEY; that metadata omission is inconsistent.
SKILL.md instructs users to export OPENROUTER_API_KEY and run the CLI. The runtime file enforces that the env var is set (it exits if not), but the fetch call to https://openrouter.ai/api/v1/models does not include the API key in headers or query parameters — either the key is unnecessary for that endpoint or the code is buggy. The instructions therefore reference an env var that is not declared in the registry and not actually used for requests, which is a scope/accuracy problem that could mislead users.
There is no install spec (instruction-only skill with included source files). No third-party downloads or package installs are required and there are no dependencies — this is low-risk from an installation/remote-code-fetch perspective.
Requiring a single OPENROUTER_API_KEY is proportionate to the stated purpose (accessing OpenRouter). But the registry metadata fails to declare this required env var or primary credential, and the code checks for the key but does not use it when making API calls — a mismatch that should be fixed or clarified. There are no additional unrelated secrets requested.
The skill does not request persistent/always-on presence, does not modify other skills or system settings, and does not request access to config paths. Default invocation and user-invocable settings are normal.
Guidance
This skill appears to do what it says (query OpenRouter and filter models), but there are a few red flags to resolve before trusting it: 1) The registry metadata does not list OPENROUTER_API_KEY even though SKILL.md and the CLI tell you to export it — the registry should declare this env var. 2) The runtime checks for OPENROUTER_API_KEY but never attaches it to the fetch request; that is likely a bug (or the endpoint is public). Ask the author to either (a) update the registry metadata to list OPENROUTER_API_KEY as the primary credential and/or (b) fix the code to send the key to OpenRouter as required (for example add an Authorization header or the correct header parameter). If you must run it now, do so in an isolated environment and inspect/modify scripts/free-models.js to ensure it sends credentials only to api.openrouter.ai and behaves as expected. If you want higher assurance, request a corrected manifest (declare OPENROUTER_API_KEY) and a code update that shows how the key is used (e.g., Authorization: Bearer).
Latest Release
v0.3.0
free-models-for-openclaw v0.3.0 - Updated documentation with detailed usage examples and API references for discovering, filtering, and selecting models. - Added clear instructions for CLI usage and API key setup. - Provided common free/cheap model recommendations with best use cases. - Clarified filtering options and advanced model selection methods. - Improved skill description and metadata to reflect features for OpenClaw and agent workflows.
More by @qidu
Published by @qidu on ClawHub
