Is smart-model-switching safe?

https://clawhub.ai/millibus/smart-model-switching

82
SAFE

This skill is a pure markdown instructional document that provides model routing guidelines for Claude-based agents. It contains no executable code, no data exfiltration mechanisms, and no hidden instructions. The primary concern is its persistent behavioral override that forces model downgrading by default, which could degrade output quality for borderline tasks. The filesystem activity during install is attributable to the OpenClaw platform, not the skill itself.

Category Scores

Prompt Injection 72/100 · 30%
Data Exfiltration 100/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (6)

MEDIUM Persistent behavioral override of model selection -20

The skill installs persistent instructions that override the agent's default model routing for every task. The 'Golden Rule', decision tree, and NEVER directives act as system-level behavioral constraints that may conflict with user preferences or platform defaults. While not malicious, this constitutes meaningful behavioral manipulation of the agent.

LOW Imperative tone may override conflicting instructions -8

The skill uses strong imperative language (NEVER, Always, Golden Rule) that could take precedence over softer user instructions or other skills' guidance in the agent's prompt hierarchy.

LOW Illustrative code examples reference platform APIs -5

The skill includes JavaScript examples calling sessions_spawn() with model parameters. While these are documentation-only and not executable at install time, they instruct the agent to use specific API patterns that could be followed literally.

LOW Platform reads sensitive files during install bootstrap -15

The OpenClaw runtime accessed .env, .aws/credentials, .profile, .bashrc, and auth-profiles.json during the install process. This is attributable to the platform bootstrapping (gateway lock, jiti compilation) rather than the skill, but it occurs in the skill's install context.

MEDIUM Capability denial via model downgrading -35

By defaulting all tasks to Haiku and requiring explicit escalation, the skill systematically reduces the agent's reasoning capability. For ambiguous or borderline tasks, this could result in lower quality outputs, missed nuances, or weaker security analysis. Users may not realize the quality degradation is due to model routing rather than inherent limitations.

INFO Homepage URL points to clawhub.com (not clawhub.ai) 0

The skill metadata lists homepage as https://clawhub.com while the registry is clawhub.ai. This is likely a typo but could theoretically be used for domain confusion or phishing if clawhub.com is controlled by a different entity.