free-models-for-agent 安全扫描报告 — 可信 | ClawSafe

5 /100

free-models-for-agent

Discover free/cheap models from OpenRouter for AI agents

A legitimate OpenRouter model discovery tool with no malicious behavior; code is fully aligned with documentation.

技能名称free-models-for-agent

分析耗时26.6s

引擎pi

✓

可以安装

This skill is safe to use. No security concerns identified.

安全发现 2 项

严重性	安全发现	位置
低危	Reads OPENROUTER_API_KEY from environment 敏感访问 The script reads the OPENROUTER_API_KEY environment variable. This is expected and necessary for the tool's stated purpose of calling the OpenRouter API, and the key is not exfiltrated. `const API_KEY = process.env.OPENROUTER_API_KEY \|\| null;` → No action needed — credential is used only for OpenRouter API authentication as documented.	`scripts/free-models.js:14`
低危	Metadata block appended inline in SKILL.md 文档欺骗 SKILL.md has the YAML metadata block (name, alias, description, metadata) appended as plain text after the markdown body rather than being declared as a proper YAML front matter block at the top. This is a minor formatting issue with no security impact. `name: free-models alias: - free-models-for-openclaw ...` → Move metadata to a proper YAML front matter block (--- delimiters) at the top of SKILL.md for cleaner spec compliance.	`SKILL.md:102`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`NONE`	—	No filesystem access in scripts/free-models.js
网络访问	`READ`	`READ`	✓ 一致	scripts/free-models.js:21 — native fetch to https://openrouter.ai/api/v1/models
命令执行	`NONE`	`NONE`	—	No subprocess or shell execution found
环境变量	`NONE`	`READ`	✓ 一致	scripts/free-models.js:14 — reads OPENROUTER_API_KEY from process.env
技能调用	`NONE`	`NONE`	—	No cross-skill invocation
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser automation
数据库	`NONE`	`NONE`	—	No database access

4 项发现

🔗

中危外部 URL 外部 URL

https://openrouter.ai

SKILL.md:9

🔗

中危外部 URL 外部 URL

https://openrouter.ai/settings/keys

SKILL.md:82

🔗

中危外部 URL 外部 URL

https://openrouter.ai/models

SKILL.md:131

🔗

中危外部 URL 外部 URL

https://openrouter.ai/api/v1/models

SKILL.md:132

目录结构

3 文件 · 11.0 KB · 413 行

JavaScript 1f · 248L Markdown 1f · 132L JSON 1f · 33L

├─ ▾ 📁 scripts

│ └─ 📜 free-models.js JavaScript 248L · 6.5 KB

├─ 📋 package.json JSON 33L · 859 B

└─ 📝 SKILL.md Markdown 132L · 3.7 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`(none)`	`N/A`	npm	否	No external dependencies declared

安全亮点

✓ No shell execution or subprocess calls — purely JavaScript with native fetch

✓ No filesystem writes — read-only model discovery

✓ Network requests are limited to the declared OpenRouter API endpoint only

✓ No external dependencies in package.json — zero supply chain risk

✓ No obfuscation, base64, or dynamic code execution

✓ No sensitive file path access (~/.ssh, ~/.aws, .env files)

✓ No credential exfiltration — API key is used only for OpenRouter authentication

✓ Code and documentation are fully aligned with no hidden functionality

✓ MIT license — permissive and standard