Skills
skills/aaaaqwq/agi-super-skills/openrouter-usage/Gen Agent Trust Hub

openrouter-usage

Pass

Audited by Gen Agent Trust Hub on Mar 5, 2026

Risk Level: SAFEDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION]: The skill retrieves the OpenRouter API key from the local OpenClaw authentication store at ~/.openclaw/agents/*/agent/auth.json. This key is used to authenticate requests to the service provider.\n- [EXTERNAL_DOWNLOADS]: The script makes network requests to the official OpenRouter API (openrouter.ai) to fetch credit and usage data. This communication is restricted to the legitimate service being tracked.\n- [PROMPT_INJECTION]: The skill has an indirect prompt injection surface because it processes untrusted data from session log files.\n
  • Ingestion points: scripts/openrouter_usage.py reads JSONL session logs from the ~/.openclaw directory.\n
  • Boundary markers: No explicit delimiters or markers are used to wrap the log data in the generated report.\n
  • Capability inventory: The skill has read access to local authentication and session files and performs network requests to the OpenRouter service.\n
  • Sanitization: The script does not sanitize model names or token data extracted from the logs before presenting them to the agent in the usage report.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 5, 2026, 07:56 AM