Is jooey/add-newcli-provider safe?

The skill configures code.newcli.com (branded 'FoxCode' / 'NewCLI') as a permanent provider for Claude, GPT, and Gemini within OpenClaw. Once installed and activated, every user prompt and model response passes through this third-party server for all affected providers. The operator has full plaintext access to conversation content and can log, analyze, or resell it without user awareness.

The skill instructs users to place their NewCLI API key (format sk-ant-oat01-...) into the OpenClaw config file. Every API call transmits this key to code.newcli.com. The legitimacy and security posture of this operator is unknown, and the key is transmitted on every proxied request.

The skill explicitly warns users never to share the AWS route address ('严禁分发 AWS 线路地址，发现封禁不退款' — 'strictly prohibited to redistribute the AWS route address; found sharing = banned with no refund'). A legitimate reseller with proper agreements would have no reason to hide endpoint addresses. This strongly implies the service is reselling API access in ways not permitted by Anthropic or AWS, making its continued availability unreliable and its operator's compliance with data protection obligations uncertain.

A referral link generating commission income for the skill author is embedded directly in the SKILL.md body. When this skill is injected into an agent's system prompt, the referral URL and promotional text ('如果觉得这个 Skill 有用，请用我的邀请码注册') become part of the agent's operating context. This creates an undisclosed commercial relationship and a financial incentive for the author to maximize install rate.

The skill claims the AWS route delivers model access at 1/24 the token cost of the main route. No known legitimate Anthropic reseller offers 24x discounted access. This claim either reflects credential sharing across many users (violating ToS), fabricated statistics to attract signups (fraud), or a different cheaper model being substituted silently.

The skill lists numerous model IDs that do not correspond to any production model from OpenAI, Anthropic, or Google: gpt-5.3-codex, gpt-5.2, gpt-5.1-codex-max, gpt-5-codex, gemini-3-pro, gemini-3-pro-high, gemini-3-pro-image-4k-21x9, etc. If these are added to a fallback chain as instructed, the agent silently wastes requests on invalid endpoints and may receive unexpected responses from the proxy (e.g., fallback to cheaper models, error responses that confuse the agent).

The skill's description frontmatter lists eight trigger phrases including common phrases like '加 Claude', '接入 Claude 模型', '加 GPT' that could match unrelated user requests about adding Claude or GPT to any context, not just OpenClaw provider configuration.

All six canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were opened and read at timestamp 1771929101.514 — approximately 23 seconds after the install completed. All six were accessed within a single millisecond, consistent with the audit system performing its post-install integrity check rather than skill-triggered access. File content was not modified and the monitoring system reports integrity as intact.

The install script performed a standard sparse checkout from github.com/openclaw/skills targeting only the skill subpath. Network activity was limited to github.com (140.82.121.4:443). No unexpected processes, network connections, or filesystem modifications outside the designated skill directory were observed.