ClawHub

llm-key-pool

Security checks across malware telemetry and agentic risk

Overview

This is a coherent LLM API key rotation tool, but users should handle its key file and multi-provider routing carefully.

Install only if you are comfortable letting the agent use the configured provider API keys and automatically fail over among them. Keep llm_config.yaml private, restrict file permissions, do not commit or share it, monitor billing/quota, and avoid sending secrets, regulated data, or proprietary content unless each configured provider is approved for that data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (10)

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The document claims all configured providers should expose an OpenAI-compatible endpoint, but elsewhere lists providers that require special auth, different paths, or only partial compatibility. This mismatch can cause implementers to send requests or credentials using the wrong protocol, leading to failed requests, accidental key invalidation, or unintended disclosure to third-party endpoints under incorrect assumptions.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The unified request format specifies a fixed Bearer token scheme and /chat/completions path, but the same file documents providers such as Anthropic, Google AI Studio, and Tencent Hunyuan that require different authentication or API shapes. In a key-pool skill, such misleading normalization guidance is dangerous because developers may route secrets and prompts with incorrect headers or URLs, causing credential exposure in logs, request failures, or broken failover behavior.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly instructs users to copy a template and replace placeholders with real API keys in a local YAML file, but does not warn that this stores credentials in plaintext on disk. For a skill whose main purpose is aggregating many third-party API keys, this increases the chance of accidental disclosure through weak file permissions, backups, screenshots, shell history, or misplacement of the config file.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs users to pass `--prompt` and optional `--system-prompt` to a client that routes requests across multiple external LLM providers, but it does not clearly warn that this content will be transmitted to third parties. In practice, users may supply sensitive prompts, internal instructions, credentials, or proprietary data without informed consent, and the multi-provider failover design broadens the disclosure surface because data may be sent to different vendors depending on availability.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide instructs users to paste real API keys directly into a YAML file but does not warn about secret leakage, accidental commits, file permission risks, or safer secret-management alternatives. In a key-pool skill, this is especially sensitive because users are encouraged to store multiple live provider credentials in one place, increasing blast radius if the file is exposed.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The examples encourage users to send prompts, code, and review content to third-party model providers without any warning that this data leaves the local environment. This can expose proprietary code, internal documents, or sensitive prompts to external APIs, which is particularly relevant because the skill is designed to route traffic across multiple providers.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The quickstart instructs users to place real API keys directly into a local YAML file and shows literal key placeholders in examples, but only later gives a brief warning not to commit the file to version control. That guidance is incomplete because local plaintext config files are also commonly exposed through shell history, backups, screenshots, shared workspaces, CI artifacts, or permissive filesystem permissions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script collects API keys and writes them in plaintext to llm_config.yaml without warning the user about credential-at-rest risks or setting restrictive file permissions. This can expose secrets to other local users, backups, source control commits, or malware on the host, leading to unauthorized API usage and account abuse.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document explicitly instructs users to send API keys in Authorization headers and user chat messages to third-party provider endpoints, but it does not warn about privacy implications, external data transfer, data retention, or provider trust boundaries. In a key-pool skill that encourages multi-vendor routing and failover, this omission materially increases the risk of users unknowingly disclosing sensitive prompts and credentials across multiple external services.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The file instructs users to send prompts and API keys to multiple third-party AI providers, but it does not clearly warn that user data may leave the local environment and be processed by external vendors with different retention and privacy policies. In a multi-provider failover design, this is especially risky because the same prompt may be transmitted to several vendors over time without the user's informed consent.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal