ClawHub
Code PluginExecutes codesource-linked

Manifest Provider

Smart LLM router plugin for OpenClaw — picks the best model for each request, balancing quality, speed, and cost

Community code plugin. Review compatibility and verification before install.
manifest-provider · runtime id manifest-provider
Install
openclaw plugins install clawhub:manifest-provider
Latest Release
Version 5.33.5
Compatibility
{
  "builtWithOpenClawVersion": "5.33.5",
  "pluginApiRange": ">=2026.2.0"
}
Capabilities
{
  "bundledSkills": [],
  "capabilityTags": [
    "executes-code",
    "provider:manifest"
  ],
  "channels": [],
  "commandNames": [],
  "configSchema": true,
  "configUiHints": false,
  "executesCode": true,
  "hooks": [],
  "httpRouteCount": 0,
  "materializesDependencies": false,
  "providers": [
    "manifest"
  ],
  "runtimeId": "manifest-provider",
  "serviceNames": [],
  "setupEntry": false,
  "toolNames": []
}
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (LLM router for OpenClaw) align with the files and runtime instructions: the package registers a provider, provides onboarding, and exposes tooling. There are no unrelated required binaries, credentials, or config paths declared.
Instruction Scope
SKILL.md only instructs how to install the plugin, run the provider setup wizard (which prompts for the Manifest API key), and use the 'manifest/auto' model and provided tools. It does not instruct reading unrelated files, harvesting other credentials, or sending data to unexpected endpoints beyond manifest.build and the plugin's documented local-mode endpoints.
Install Mechanism
No install spec is included (instruction-only for OpenClaw CLI installs). The package also contains prebuilt dist files and source, but there are no downloads from arbitrary URLs or extraction steps in the SKILL.md. This is low-risk for install mechanism.
Credentials
Registry metadata lists no required env vars, but SKILL.md documents an optional MANIFEST_API_KEY (for CI/CD) and the code/tests use mnfst_*-prefixed keys. Requesting a Manifest API key is proportional to the plugin's purpose. Note: the skill will prompt for and store/propagate the Manifest key into OpenClaw provider config during onboarding; only provide keys intended for Manifest.
Persistence & Privilege
always is false and the skill does not request elevated or global privileges. It registers services/tools within OpenClaw and may run verify checks at service start—this is expected behavior for a provider plugin and is not excessive.
Assessment
This plugin appears to do what it claims: register Manifest as a routing provider and prompt you for a Manifest API key. Before installing: (1) only provide an API key that begins with 'mnfst_' and is intended for Manifest (do not reuse unrelated cloud keys), (2) if you prefer not to run anything in dev/local mode, use the cloud setup flow and avoid installing the full self-hosted 'manifest' package, and (3) if you want extra assurance, review the included openclaw.plugin.json and source (dist/index.js or src/*.ts) to confirm no extra endpoints or file reads are present. Because the skill can be invoked by agents, limit which agents you trust with provider onboarding if you are concerned about automated configuration changes.
__tests__/build.test.ts:23
Dynamic code execution detected.
dist/index.js:2
Environment variable access combined with network send.
!
dist/index.js:11
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.
Verification
{
  "hasProvenance": false,
  "scanStatus": "clean",
  "scope": "artifact-only",
  "sourceCommit": "db0d8922f9282e06be07c1c9c562234e4c3eb4a5",
  "sourceRepo": "mnfst/manifest",
  "sourceTag": "db0d8922f9282e06be07c1c9c562234e4c3eb4a5",
  "summary": "Validated package structure and linked the release to source metadata.",
  "tier": "source-linked"
}
Tags
{
  "latest": "5.33.5"
}

manifest-provider

Cloud provider plugin for Manifest — the smart LLM router for OpenClaw.

Picks the best model for each request based on a multi-dimension complexity score, balancing quality, speed, and cost automatically. Supports 10+ providers with tier-based routing and fallbacks.

Install

openclaw plugins install manifest-provider
openclaw providers setup manifest-provider
openclaw gateway restart

The setup wizard prompts for your API key from app.manifest.build. After setup, use manifest/auto as your model.

You can also set the key via environment variable for CI/CD: export MANIFEST_API_KEY=mnfst_...

What it does

  • Registers Manifest as a provider in OpenClaw with the auto model
  • Interactive auth onboarding via openclaw providers setup manifest-provider
  • Agent tools: manifest_usage, manifest_costs, manifest_health
  • /manifest status command

Self-hosted / Local mode

For a self-hosted server with SQLite and a local dashboard, install the full package instead:

openclaw plugins install manifest

See the manifest package.

Contributing

This package lives at packages/openclaw-plugins/manifest-provider/ in the mnfst/manifest monorepo.

npm run build --workspace=packages/openclaw-plugins/manifest-provider   # esbuild bundle
npm test --workspace=packages/openclaw-plugins/manifest-provider        # Jest tests

Links