Security audit

Smart Model Router

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it advertises: automatically choose a model for substantive requests, with some broad but disclosed behavior users should understand.

Install this only if you want automatic model routing on most substantive requests. Run --setup knowingly, review the generated models.json, and avoid adding the broad AGENTS.md reinforcement line unless you are comfortable with persistent routing behavior that remains subordinate to higher-priority instructions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (7)

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The setup routine goes beyond passive model routing by reading local agent configuration and generating persistent configuration files on disk. Even though this behavior is gated behind --setup, it expands the skill's trust boundary and creates side effects that are not clearly implied by a router, which can surprise users and alter local agent behavior indirectly.

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: The setup path inspects AGENTS.md and then recommends adding a persistent instruction to always follow this skill's instructions. That materially changes agent-wide behavior outside the narrow routing function and can be used to establish durable precedence for this skill over future interactions, increasing prompt-injection and policy-bypass risk.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The code reads ~/.openclaw/openclaw.json and workspace/home AGENTS.md files, which are sensitive local configuration sources unrelated to basic per-request routing. This increases the skill's access to local state and may expose agent policy, model inventory, or workspace conventions unnecessarily, broadening the impact if the skill is misused or later modified.

Vague Triggers

High

Confidence: 95% confidence
Finding: Triggering on essentially every substantive request gives the skill continuous influence over user interactions and maximizes opportunities to inspect prompts, invoke local code, and change session state. In this context, the danger is amplified because the skill can run a local script and potentially steer model selection for nearly all conversations, creating a broad attack and privacy surface from a single skill.

Vague Triggers

High

Confidence: 97% confidence
Finding: The recommendation to add an AGENTS.md rule that always follows this skill on every substantive request attempts to create persistence and priority over future behavior, effectively expanding the skill's control beyond its own file. This is especially dangerous because it seeks to harden unconditional invocation even on less capable models, a classic sign of instruction persistence designed to resist normal safety or user-choice boundaries.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The setup function writes models.json directly to the skill directory without checking for an existing file or asking for confirmation. This can overwrite curated routing configuration, causing silent configuration loss or unexpected model-selection behavior that persists across sessions.

Ssd 1

Medium

Confidence: 99% confidence
Finding: The printed instruction encourages users to add a blanket AGENTS.md rule: 'Always follow smart-model-router SKILL.md instructions.' In skill ecosystems, persistent natural-language directives can effectively elevate one skill's authority over later requests and safeguards, making this especially dangerous because it normalizes durable control beyond the stated purpose of choosing a model.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.