中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:1 day ago Rescan
5 /100
free-models-for-agent
Discover free/cheap models from OpenRouter for AI agents
A legitimate OpenRouter model discovery tool with no malicious behavior; code is fully aligned with documentation.
Skill Namefree-models-for-agent
Duration26.6s
Enginepi
Safe to install
This skill is safe to use. No security concerns identified.

Findings 2 items

Severity Finding Location
Low
Reads OPENROUTER_API_KEY from environment Sensitive Access
The script reads the OPENROUTER_API_KEY environment variable. This is expected and necessary for the tool's stated purpose of calling the OpenRouter API, and the key is not exfiltrated.
const API_KEY = process.env.OPENROUTER_API_KEY || null;
→ No action needed — credential is used only for OpenRouter API authentication as documented.
 scripts/free-models.js:14
Low
Metadata block appended inline in SKILL.md Doc Mismatch
SKILL.md has the YAML metadata block (name, alias, description, metadata) appended as plain text after the markdown body rather than being declared as a proper YAML front matter block at the top. This is a minor formatting issue with no security impact.
name: free-models
alias:
  - free-models-for-openclaw
  ...
→ Move metadata to a proper YAML front matter block (--- delimiters) at the top of SKILL.md for cleaner spec compliance.
 SKILL.md:102
ResourceDeclaredInferredStatusEvidence
Filesystem NONE NONE No filesystem access in scripts/free-models.js
Network READ READ ✓ Aligned scripts/free-models.js:21 — native fetch to https://openrouter.ai/api/v1/models
Shell NONE NONE No subprocess or shell execution found
Environment NONE READ ✓ Aligned scripts/free-models.js:14 — reads OPENROUTER_API_KEY from process.env
Skill Invoke NONE NONE No cross-skill invocation
Clipboard NONE NONE No clipboard access
Browser NONE NONE No browser automation
Database NONE NONE No database access
4 findings
🔗
Medium External URL 外部 URL
https://openrouter.ai
SKILL.md:9
🔗
Medium External URL 外部 URL
https://openrouter.ai/settings/keys
SKILL.md:82
🔗
Medium External URL 外部 URL
https://openrouter.ai/models
SKILL.md:131
🔗
Medium External URL 外部 URL
https://openrouter.ai/api/v1/models
SKILL.md:132

File Tree

3 files · 11.0 KB · 413 lines
JavaScript 1f · 248L Markdown 1f · 132L JSON 1f · 33L
├─ 📁 scripts
│ └─ 📜 free-models.js JavaScript 248L · 6.5 KB
├─ 📋 package.json JSON 33L · 859 B
└─ 📝 SKILL.md Markdown 132L · 3.7 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
(none) N/A npm No No external dependencies declared

Security Positives

✓ No shell execution or subprocess calls — purely JavaScript with native fetch
✓ No filesystem writes — read-only model discovery
✓ Network requests are limited to the declared OpenRouter API endpoint only
✓ No external dependencies in package.json — zero supply chain risk
✓ No obfuscation, base64, or dynamic code execution
✓ No sensitive file path access (~/.ssh, ~/.aws, .env files)
✓ No credential exfiltration — API key is used only for OpenRouter authentication
✓ Code and documentation are fully aligned with no hidden functionality
✓ MIT license — permissive and standard