Review and sync one provider's models and related fields into a local OpenClaw config file. Use when fetching upstream provider metadata, mapping and normali...
Security Analysis
medium confidenceThe skill's code and instructions are internally consistent with its stated purpose (safely syncing provider model metadata into a local OpenClaw config), but pay attention to the default absolute config path, how you provide credentials, and review the script before giving it write access to your config.
The skill's name/description (sync provider metadata into OpenClaw config) matches what the code and SKILL.md do: fetch upstream model lists, map/normalize fields, perform dry-run, create backups, and write minimal changes into the configured OpenClaw JSON. One mismatch: registry metadata declares no required config paths, yet the SKILL.md and script use a default absolute config path (/root/.openclaw/openclaw.json). This should be surfaced to users because the skill will read/write local OpenClaw configuration files.
Runtime instructions stay within the declared purpose: they fetch a user-specified endpoint, map and normalize fields, produce diffs and summaries, perform dry-run, and only write after explicit confirmation (creating backups first). The docs also advise not to write keys/tokens into logs and to avoid broad changes by default. No instructions request unrelated files or system-wide access beyond the OpenClaw config subtree.
No install spec (instruction-only + script included). Nothing is downloaded or executed from external installers; risk from install mechanism is low. The skill includes a Python script that will be written to disk as part of the skill bundle (normal for instruction+script skills).
The skill declares no required environment variables or primary credential, which is reasonable. However, the tool accepts custom headers/Authorization via CLI arguments which means users will likely pass provider tokens on the command line or as headers—be cautious because command-line args can leak in process lists or logs. Also the SKILL.md and code assume a local config path (absolute) which is sensitive; the metadata does not declare this path explicitly.
always:false and disable-model-invocation:false (normal). The skill does write to the user's OpenClaw config when instructed, but only after dry-run and explicit confirmation per the docs; it creates timestamped backups before overwriting. It does not demand permanent automatic inclusion or elevated platform privileges.
Guidance
This skill appears to do what it says: fetch upstream provider metadata, map/normalize fields, produce a minimal diff, and optionally write it to your OpenClaw config with backups. Before running in production: 1) Review the script (scripts/provider_sync.py) yourself to confirm there are no unexpected network callbacks or hardcoded endpoints; 2) Run in dry-run mode first and inspect the generated diff and backup path; 3) Be careful how you pass credentials—avoid exposing tokens on the command line where other local users/processes could see them; prefer passing sensitive headers from a file or secure input if supported; 4) Note the default config path (/root/.openclaw/openclaw.json) and adjust it if your environment uses a different path or user; 5) Keep a copy of backups and test restores on a non-production instance; and 6) If you need higher assurance, search the full script for any subprocess calls or outbound network calls unrelated to the user-specified endpoint and verify their intent.
Latest Release
v1.1.6
Switch license to MIT (standard) + add LICENSE + SPDX metadata
Popular Skills
Published by @C-Joey on ClawHub
