SR
SKILLRADAR
AI Security • Benchmarking • Index
Menu
Trust Report v1

add-newcli-provider

为 OpenClaw 配置 code.newcli.com 作为模型源,包含四个 provider:newcli(Claude 主线路)、newcli-aws(Claude AWS 特价线路,消耗 1/24)、newcli-codex(GPT 系列)、newcli-gemini(Gemini 系列)。适用于需要接入 Claude 或 GPT 模型的场景。包含 provider 注册、模型定义、别名配置、fallback 链接入和验证的完整流程。当管理员说想"加 Claude"、"加 GPT"、"配 newcli"、"加 fox 源"、"接入 Claude

Overall
76
Trust
59
Utility
88
Momentum
95

Install caution

Needs manual review

Risk: Medium

Source: OpenClaw Master Skills

Path: skills/add-newcli-provider/SKILL.md

Review flags: filesystem/home-directory access, network access or external URLs, shell command snippets. These are review signals, not definitive security judgments; inspect before installing.

Required permissions

  • Environment variables / secrets
  • Shell commands
  • Network/API usage
  • Filesystem/home access

Permissions are inferred from SKILL.md text only. They are review prompts, not guarantees about runtime behavior.

Risk flags explained

filesystem_write_or_home_accessmedium

Mentions filesystem writes, deletes, home-directory paths, or config/key locations.

network_accessmedium

Mentions external URLs, network APIs, downloads, or HTTP client usage.

shell_commandmedium

Contains shell command snippets. Review commands before copy/paste or agent execution.

Score explanation

Trust

  • Trust starts at 90 before review-signal penalties and metadata bonuses.
  • Risk-signal penalty: -33 from 3 detected flag(s).
  • Metadata bonus: +2 from author/version/description fields.

Utility

  • Utility starts at 55 and rewards clear descriptions, runnable examples, and explicit setup needs.
  • Description present: yes.
  • Command examples detected: 9.
  • Environment variables detected: 1.

Momentum

  • Momentum starts at 45 and uses public repo activity signals.
  • Recent commit activity: latest repo update was 6 day(s) ago.
  • Recent commit volume: 6 commit(s) in the lookback window (+18).
  • Source has strong public adoption: 2049 stars.
  • Fork activity suggests reuse: 309 forks.

Overall

  • Overall score weights trust 45%, utility 35%, and momentum 20%.

Detected signals

Env vars

  • API

Commands

  • curl -s --max-time 15 "https://code.newcli.com/gemini/v1beta/models/<MODEL_ID>:generateContent" -H "x-goog-api-key: <你的API_KEY>" -H "Content-Type: application/json" -d '{"contents":[{"role":"user","parts":[{"text":"hi"}]}]}'
  • curl -s --max-time 15 https://code.newcli.com/claude/aws/v1/messages -H "x-api-key: <你的API_KEY>" -H "anthropic-version: 2023-06-01" -H "Content-Type: application/json" -d '{"model":"<MODEL_ID>","messages":[{"role":"user","content":"hi"}],"max_tokens":10}'
  • curl -s --max-time 15 https://code.newcli.com/claude/v1/messages -H "x-api-key: <你的API_KEY>" -H "anthropic-version: 2023-06-01" -H "Content-Type: application/json" -d '{"model":"<MODEL_ID>","messages":[{"role":"user","content":"hi"}],"max_tokens":10}'
  • curl -s --max-time 15 https://code.newcli.com/codex/v1/chat/completions -H "Authorization: Bearer <你的API_KEY>" -H "Content-Type: application/json" -d '{"model":"<MODEL_ID>","messages":[{"role":"user","content":"hi"}],"max_tokens":10}'
  • openclaw doctor
  • openclaw doctor --fix
  • python3 -c "import json; json.load(open('$HOME/.openclaw/openclaw.json')); print('JSON OK')"
  • tail -20 ~/.openclaw/logs/gateway.err.log
  • ~/.openclaw/openclaw.json

URLs

  • https://code.newcli.com/claude
  • https://code.newcli.com/claude/aws
  • https://code.newcli.com/claude/aws/v1/messages
  • https://code.newcli.com/claude/aws`
  • https://code.newcli.com/claude/v1/messages
  • https://code.newcli.com/claude/v1`(变成
  • https://code.newcli.com/claude`
  • https://code.newcli.com/claude`(OpenClaw
  • https://code.newcli.com/codex/v1
  • https://code.newcli.com/codex/v1/chat/completions
  • https://code.newcli.com/codex/v1/chat/completions`(重复拼接)
  • https://code.newcli.com/codex/v1`

Provenance & evidence

SkillRadar makes each review traceable back to the exact source path, source blob SHA, scanner version, and text-only policy that produced the report.

source
github.com/LeoYeAI/openclaw-master-skills@main
path
skills/add-newcli-provider/SKILL.md
source blob SHA
62f22f5b03c7a0e8675241ffb419c98d1c3a5d24
scanner version
0.3.0
security model
text_only_no_execute_no_install_no_secrets
scan policy
Fetched and scored as text only; no install, no execution, no runtime loading.

Evidence snippets

filesystem_write_or_home_access

…导致对话请求被错误路由到图片生成模型。需要生图时通过 `/model gemini-3-pro-image` 手动切换。 --- ## 第二步:添加 Provider 在 `~/.openclaw/openclaw.json` 的 `models.providers` 下添加三个 provider。 ### 2A. 添加 newcli(Claude 主线…

network_access

…必须分开 - Claude 有两条线路(主线路 vs AWS 特价线路),消耗倍率不同,也需要分开配置 ### ⭐ AWS 特价线路(重要) 服务商提供了独家 AWS 线路:`https://code.newcli.com/claude/aws` | 对比 | 主线路 (newcli) | AWS 线路 (newcli-aws) | |------|---------…

shell_command

…01-...` 的密钥(三个 provider 共用同一个) | | 可用模型列表 | 向服务商确认,或查看账户统计页 | **注意**:NewCLI 的 `/v1/models` 接口有 Cloudflare 防护,无法通过 curl 直接获取模型列表。请以账户后台的实际统计为准,不要依赖文档中的"支持列表"——文档列出的模型不一定全部对你的账户开放。 --- ## 第一步:确认可用模型 **这一步不能跳过。** 不要把文档里列的模型全加上去,要以实际能调通的为准。 ### 1A. 测试 Claude 模型(n

Watch this skill

Get alerted when this skill adds credential requirements, shell commands, external domains, remote installer patterns, or risk-level changes.

Join watchlist beta

Methodology note

SkillRadar scans SKILL.md as hostile text only. It does not execute commands, install packages, or load third-party skills.

View source SKILL.mdBack to changesView sources