ClawHub

Openclaw Smart Router

Security checks across malware telemetry and agentic risk

Overview

The router’s core model-selection behavior is coherent, but it needs review because it promotes agent-paid subscriptions without approval controls and its payment verification accepts fake-looking transaction hashes.

Install only after reviewing the Pro/x402 workflow. Keep autonomous payment disabled unless you have explicit wallet approval controls and spending limits, do not rely on the current transaction verification for real billing, and treat the local database as sensitive because it stores wallet-linked routing and performance history.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises capabilities that imply environment access, networking, and shell execution, but declares no permissions. This creates a transparency and trust problem: users and policy systems cannot accurately assess what the skill may do, increasing the chance of unintended data access, command execution, or outbound communication.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The README makes a strong privacy/security claim that all data stays local and nothing is sent to external servers, yet elsewhere documents x402 subscription, verification, and license endpoints that necessarily involve external communication. This is a dangerous trust-boundary mismatch because users may enable the skill assuming no outbound network or data-sharing behavior when billing and license flows require it.

Context-Inappropriate Capability

High
Confidence
91% confidence
Finding
Advertising that agents can autonomously pay for service introduces financial-action capability beyond the minimum needed for model routing. In an agent skill context, this is dangerous because it normalizes unattended spending and can lead to unauthorized charges, abuse of wallet access, or silent escalation from free to paid service.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The documented x402 subscription, verification, and license lookup endpoints expand the attack surface from routing into account and billing operations. If exposed or insufficiently protected, these endpoints could enable unauthorized subscription changes, wallet enumeration, or abuse of payment/license workflows.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The Privacy section claims there are no external servers, telemetry, or API calls, yet the skill also documents x402 subscription, verification, and license endpoints. This contradiction can mislead users about data flows and network behavior, undermining informed consent and potentially concealing outbound requests tied to payment or licensing.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The statement that an agent can autonomously pay via x402 without human approval introduces purchasing authority unrelated to the core routing function. Allowing autonomous spending, even for small amounts, materially raises financial risk because the skill can convert optimization logic into unauthorized transactions.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Autonomous subscription payment is not necessary to perform model routing or cost optimization, so it expands the skill's authority beyond its stated purpose. This is a classic scope-creep risk: a utility skill that can spend funds may be abused or misconfigured to trigger purchases the user did not intend.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The API reference explicitly documents ingestion and retention-related fields such as user prompts, context, files, conversation history, and historical task data, but provides no notice about privacy expectations, retention limits, consent, or handling of sensitive content. In a routing skill, this data can contain secrets, proprietary code, personal data, and prior interactions; undocumented storage and learning behavior increases the risk of over-collection, silent retention, and downstream disclosure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation describes storing task- and request-derived metadata, model choices, outcomes, and historical patterns in a persistent SQLite table, but provides no notice, consent flow, retention limit, minimization guidance, or privacy controls. In an agent routing context, prompts, context characteristics, and agent identifiers can reveal sensitive business or personal information, so silent persistence creates a real privacy and compliance risk even if the feature is intended for learning and optimization.

Natural-Language Policy Violations

Medium
Confidence
74% confidence
Finding
The analyzer relies on fixed English keyword sets for reasoning, error, code, and data detection, while non-English support is deferred as a future enhancement. This can systematically misclassify non-English prompts, leading to poorer model selection, unexpected cost/performance behavior, and uneven service quality without transparency to users.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README promotes autonomous upgrades and payment actions without a prominent warning about monetary consequences or the need for human approval. In agent-operated environments, this can cause users to unknowingly grant a tool the ability to spend funds or subscribe to services without sufficient consent controls.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill states it intercepts every API request and stores routing history, analytics, and exportable records, but the README does not provide a prominent privacy warning explaining what content and metadata may be captured. This is risky because intercepted prompts, code, context lengths, and histories may contain sensitive information that users would not expect to be retained or exportable.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill description explicitly permits autonomous paid subscription without a clear warning, consent flow, or approval requirement. That omission makes it easier for users to install a seemingly benign cost-saving tool without realizing it may initiate financial transactions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The router analyzes prompts and persists routing decisions tied to an agent wallet, including task type, complexity, estimated token counts, reasoning-derived flags, model choices, and later response outcome metadata. Even if full prompt text is not directly stored in this file, this creates persistent sensitive prompt metadata without any notice, consent flow, minimization, or retention control, which can expose user behavior, workload characteristics, and potentially confidential usage patterns if the local database is accessed or reused by other components.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal