ClawHub

A.I. Smart Router

Security checks across malware telemetry and agentic risk

Overview

The router is mostly coherent, but it can silently reroute user prompts across AI providers and some security claims are not consistently implemented.

Install only if you are comfortable with prompts being automatically routed or retried across the AI providers you configure. Review router_config.json, disable providers you do not want used, use routing visibility for sensitive work, and inspect ~/.openclaw/router-state and ~/.openclaw/logs for retained routing metadata.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares no permissions while the documented behavior clearly implies access to environment variables, networked model calls, file reads/writes, and spawned sessions. This creates a hidden capability gap: reviewers and users cannot accurately assess what the skill can do, and downstream systems may execute it with broader access than expected.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented description frames the skill as a router, but the behavior includes persistent local state, logging, rate-limit tracking, dashboards/CLI, hook integration, and sub-agent delegation. That mismatch is security-relevant because operators may approve it for simple routing while it actually performs broader monitoring, storage, and execution-orchestration functions that expand attack surface and data exposure.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The skill promises users will be notified when fallback switches models, but the streaming example yields content from a fallback model without an explicit notification step. In a router that may send data to different providers with different trust and privacy characteristics, silent provider switching undermines transparency, consent, and auditability.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The dashboard presents a 'Security Log (Today)' summary but the implementation returns fixed placeholder values instead of actual log-derived metrics. This can mislead operators into believing the system is monitoring and reporting real security events, causing missed incidents, incorrect risk decisions, and a false sense of protection in a security-sensitive routing component.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill advertises security redaction, but the implementation only blocks a few credential patterns and merely warns on common PII like emails, SSNs, and credit cards. Those warned values are still forwarded to the selected external model provider, which can cause unintended disclosure of sensitive data across multiple third-party AI services.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly describes 'silent retry' to another provider and 'JIT Compact' summarization of user content without clear upfront consent or prominent warning. That creates a real confidentiality and integrity risk: user prompts may be sent to a different third-party provider than expected, and content may be modified before completion, which is especially sensitive for private, regulated, or high-stakes requests.

Vague Triggers

High
Confidence
94% confidence
Finding
The skill states it operates silently by default with no special commands needed, which makes invocation conditions overly broad. For a skill that can inspect requests, route them to external providers, apply overrides, and potentially persist logs/state, transparent auto-activation increases the risk of unintended processing of sensitive or out-of-scope user data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guard can automatically reroute requests from one model/provider to Gemini when context usage crosses a threshold, but it does so without an explicit user-facing consent or disclosure mechanism. In a router handling potentially sensitive prompts, history, or system instructions, this can cause unintended cross-provider data disclosure and violate privacy, compliance, or customer data residency expectations.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The routing logic relies on simple keyword matching for high-risk domains, and some triggers are broad enough to match benign requests out of context. In a model router, unintended routing can bypass expected cost, safety, or review paths and send sensitive tasks to a model chosen for the wrong reason, which is especially risky for security- or shell-related prompts.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The keyword sets in `risk_domains` and related routing metadata include common terms like 'current', 'critical', 'verify', 'execute', and 'security' without contextual constraints, making accidental or adversarial trigger collisions likely. Because this skill is an expertise-aware router with mandatory model selection and HITL thresholds, ambiguous matches can materially alter routing decisions, safety posture, and downstream handling of risky tasks.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script passes raw user message content into RouterHook and then explicitly calls save_state(), which aligns with the finding that message content may be persisted without any user notice or consent flow. In a routing skill, prompts can contain sensitive business data, credentials, or personal information, so silent retention increases privacy and data-handling risk even if the feature is intended for debugging or routing quality.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
On context overflow, the router can silently resend the full request to Gemini Pro, changing provider without user approval or clear disclosure. In a router that handles potentially sensitive prompts, silent cross-provider failover increases data-sharing risk and can violate privacy, compliance, or customer routing expectations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The hook persists routing-decision metadata for every analyzed message via the state manager, and the skill description explicitly includes security redaction and routing of arbitrary user prompts. In this context, prompts may contain secrets, personal data, or sensitive business content, so silent persistence of prompt-derived data without explicit notice, consent, minimization, or retention controls creates a real privacy and compliance risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The router persists routing decisions to disk in a long-lived JSONL log that can include session_id, intent, complexity, model choices, token counts, latency, and free-form reason text. In an agent-routing context, these fields can become session-linkable telemetry and may accidentally capture sensitive prompts, user behavior patterns, or internal decision rationale without minimization, retention controls, or any explicit notice/consent mechanism.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal