ClawHub
Code PluginExecutes codesource-linked

Manifest Model Router

Smart LLM router plugin for OpenClaw — picks the best model for each request, balancing quality, speed, and cost

Community code plugin. Review compatibility and verification before install.
manifest-model-router · runtime id manifest-model-router
Install
openclaw plugins install clawhub:manifest-model-router
Latest Release
Version 6.0.2
Compatibility
{
  "builtWithOpenClawVersion": "6.0.2",
  "pluginApiRange": ">=2026.2.0"
}
Capabilities
{
  "bundledSkills": [],
  "capabilityTags": [
    "executes-code",
    "provider:manifest"
  ],
  "channels": [],
  "commandNames": [],
  "configSchema": true,
  "configUiHints": false,
  "executesCode": true,
  "hooks": [],
  "httpRouteCount": 0,
  "materializesDependencies": false,
  "providers": [
    "manifest"
  ],
  "runtimeId": "manifest-model-router",
  "serviceNames": [],
  "setupEntry": false,
  "toolNames": []
}
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description (smart LLM router / Manifest provider) match the package contents: source and built bundle register a 'manifest' provider, provide an 'auto' model, interactive auth onboarding, and tools for usage/cost/health. There are no unexpected external credentials or unrelated binaries requested.
Instruction Scope
SKILL.md only instructs OpenClaw-specific plugin/provider setup commands, a gateway restart, and notes that an API key can be provided via env or interactive onboarding. The instructions do not tell the agent to read unrelated files, scan system credentials, or send data to unknown endpoints. Interactive auth collects a Manifest API key as expected.
Install Mechanism
Metadata states 'No install spec — instruction-only', but the package includes source/dist files and an openclaw.plugin.json (i.e., it's a packaged plugin to be installed by OpenClaw). This is a minor metadata/packaging mismatch but not a security concern: there are no external download URLs or extract steps; the bundle is standard npm-style code (dist/index.js) and tests assert no use of exec/eval/embedded server code.
Credentials
The only credential surface is a Manifest API key (MANIFEST_API_KEY) used for cloud routing; this is proportional to the plugin's function. Registry metadata lists no required env vars (the SKILL.md correctly treats MANIFEST_API_KEY as optional for CI or non-interactive setups). No unrelated credentials or high-privilege env paths are requested.
Persistence & Privilege
always:false (no forced inclusion). The plugin registers provider(s), tools, a service, and a command within the normal OpenClaw plugin model — this is expected for a provider plugin and does not request system-wide privileges or modify other skills' configs.
Assessment
This plugin appears to do what it says: it registers Manifest as an OpenClaw provider, offers an 'auto' routing model, and prompts you to provide your Manifest API key either interactively or via MANIFEST_API_KEY. Before installing: (1) confirm you trust app.manifest.build and are willing to provide a Manifest API key to this plugin; (2) if you need to audit behavior, review dist/index.js and src/auth.ts to see how your key is stored/transmitted; (3) note the package is cloud-only (self-hosted/local users are pointed to the larger 'manifest' package); (4) rotate the API key if you later uninstall and want to revoke access. The only minor oddities are a small metadata/packaging mismatch (no install spec while code files are present) and the SKILL.md treating the env var as optional — both are explainable and not security concerns.
__tests__/build.test.ts:23
Dynamic code execution detected.
dist/index.js:2
Environment variable access combined with network send.
!
dist/index.js:11
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.
Verification
{
  "hasProvenance": false,
  "scanStatus": "clean",
  "scope": "artifact-only",
  "sourceCommit": "d30ad9a844e7d53070a7cab12401a306814e19ce",
  "sourceRepo": "mnfst/manifest",
  "sourceTag": "d30ad9a844e7d53070a7cab12401a306814e19ce",
  "summary": "Validated package structure and linked the release to source metadata.",
  "tier": "source-linked"
}
Tags
{
  "latest": "6.0.2"
}

manifest-model-router

Cloud provider plugin for Manifest — the smart LLM router for OpenClaw.

Picks the best model for each request based on a multi-dimension complexity score, balancing quality, speed, and cost automatically. Supports 10+ providers with tier-based routing and fallbacks.

Install

openclaw plugins install manifest-model-router
openclaw providers setup manifest-model-router
openclaw gateway restart

The setup wizard prompts for your API key from app.manifest.build. After setup, use manifest/auto as your model.

You can also set the key via environment variable for CI/CD: export MANIFEST_API_KEY=mnfst_...

What it does

  • Registers Manifest as a provider in OpenClaw with the auto model
  • Interactive auth onboarding via openclaw providers setup manifest-model-router
  • Agent tools: manifest_usage, manifest_costs, manifest_health
  • /manifest status command

Self-hosted / Local mode

For a self-hosted server with SQLite and a local dashboard, install the full package instead:

openclaw plugins install manifest

See the manifest package.

Contributing

This package lives at packages/openclaw-plugins/manifest-model-router/ in the mnfst/manifest monorepo.

npm run build --workspace=packages/openclaw-plugins/manifest-model-router   # esbuild bundle
npm test --workspace=packages/openclaw-plugins/manifest-model-router        # Jest tests

Links