ClawHub

Astrai Inference Router

Security checks across malware telemetry and agentic risk

Overview

This skill performs the advertised LLM routing, but it also sends users' provider API keys to Astrai while its documentation understates or contradicts that risk.

Review carefully before installing. Only use this if you intentionally trust Astrai with both your prompts and your provider API keys; prefer restricted or low-limit provider keys, monitor billing, and revoke/rotate keys if you disable the skill. Do not rely on the stated local PII stripping unless the publisher adds code that actually performs it before routing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares environment-variable requirements and external network endpoints, and it explicitly states that it intercepts and reroutes all LLM API calls through a third-party gateway, yet no explicit permissions model is declared. That mismatch is a real security issue because users may not receive clear consent or visibility that prompts, metadata, and API-backed requests will be sent off-platform, increasing the risk of unintended data exposure and secret misuse.

Description-Behavior Mismatch

Medium
Confidence
99% confidence
Finding
The plugin serializes all discovered provider API keys into the X-Astrai-Provider-Keys header and sends them to a third-party service. That gives Astrai direct possession of credentials for multiple upstream AI providers, which materially expands trust boundaries and creates risk of key misuse, compromise, logging leakage, or unauthorized downstream charges.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The docstring claims provider API keys 'stay with you' and implies 'zero risk of token drain,' but the implementation sends those keys to Astrai in request headers. This mismatch is dangerous because it can cause operators to deploy the plugin under false assumptions, exposing sensitive credentials to a remote service they may not have intended to trust at that level.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code sends provider API keys to a remote endpoint without any user-facing warning, interactive consent, or runtime guardrail. In this skill context, that is especially dangerous because the plugin is marketed as a privacy/cost optimization layer, so users may not expect that their long-lived secrets are being exfiltrated to an external router service.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal