Pluginv3.8.4

ClawScan security

ZeroAPI Router · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 10:06 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The plugin's code and behavior generally match a routing/add-on for OpenClaw, but packaging/metadata mismatches and unresolved implementation in omitted files (background monitor and session-auth) create enough uncertainty that you should review those files before installing.
Guidance: This package mostly looks like a legitimate OpenClaw model-routing plugin, but there are two things you should check before installing: (1) packaging/metadata mismatch — the registry says 'instruction-only' and SKILL.md contains package.json-like JSON while the bundle includes many executable JS files; confirm the platform's loader and why the metadata differs. (2) Review the omitted but included files (subscription-advisory.js, session-auth.js, inventory.js, router.js, onboarding/cron modules) for network calls, external endpoints, or code that reads/writes credentials or touches other skill configs. Pay attention to code that syncs session auth profiles (it may modify which account/profile is used for a session) and any code that performs HTTP requests or posts data externally. If you cannot audit those files yourself, run the plugin in a least-privileged sandbox or request a security review with the maintainer before enabling it broadly.

Review Dimensions

Purpose & Capability: okThe name/description (ZeroAPI Router) align with the code: it inspects prompts, evaluates model candidates, and chooses/overrides models and auth profiles. It reads/writes a zeroapi-config.json and interacts with OpenClaw lifecycle events (before_model_resolve, message_sending), which is coherent with routing functionality.
Instruction Scope: concernThe SKILL.md shown here contains package.json-like JSON rather than human runtime instructions, and registry metadata listed the skill as 'instruction-only' despite numerous code files. The runtime code reads/writes files in the OpenClaw state directory (~/.openclaw by default), prefixes outgoing messages with advisories, and syncs session auth profiles — these actions are within routing purpose but the mismatch between the declared SKILL type and the actual bundled code is unexpected and warrants review.
Install Mechanism: noteNo external install spec (no downloads) is declared, which is low-risk. However the bundle includes many JS files (an actual plugin) rather than being instruction-only as the registry said — verify how the platform will load/execute these files (they will run inside the agent process via the plugin API).
Credentials: okThe skill does not declare required environment variables or secrets. The code uses optional environment values (OPENCLAW_STATE_DIR, OPENCLAW_CONFIG_PATH, HOME) to locate OpenClaw state and config — reasonable for a plugin that reads/writes its own config and state. It does not explicitly request unrelated credentials in metadata.
Persistence & Privilege: notealways:false (good). The plugin starts a background 'subscription advisory' monitor and writes a delivery file (zeroapi-advisory-delivery.json) into the OpenClaw state directory; it may also modify session auth profiles. These are plausible for its purpose but mean it will maintain on-disk state and run background activity — review the monitor and session-auth code to confirm no unexpected behavior (e.g., network exfiltration or overwriting unrelated data).