intent-router
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This instruction-only skill coherently calls a disclosed paid intent-classification API, but users should notice the npm CLI install, x402 login/payment, and third-party data transfer.
Before installing, confirm that you trust the `awal` npm package and the hosted classifier endpoint, and set payment limits or require review if the agent might invoke this skill repeatedly. Avoid sending sensitive text unless the service's privacy practices are acceptable to you.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the CLI can change the local environment and introduces trust in the npm package.
The skill instructs installation of a global npm CLI package. The version is pinned and the package is central to the stated x402 workflow, but it is still a third-party dependency users should verify.
npm install -g awal@2.0.3 awal auth login
Verify the `awal` package source before installing, consider avoiding global installation where possible, and keep the pinned version under review.
If used frequently or automatically, the skill could incur small repeated charges.
The skill uses an authenticated x402 payment flow and discloses a per-request USDC cost. This is purpose-aligned, but it gives the workflow access to a payment-capable account.
awal auth login ... x402 pay ... $0.005 USDC per request (Base network)
Use a wallet/account with spending limits, review any payment prompts, and avoid enabling unattended high-volume use unless the cost is acceptable.
Messages submitted for classification may be visible to or processed by the external service.
The usage example sends the text to classify and the candidate intents to an external hosted endpoint. This data flow is expected for the skill's purpose, but it means user text leaves the local environment.
https://anicca-proxy-production.up.railway.app/api/x402/intent-router ... -d '{"text":"I want to book a flight to Tokyo next week","intents":[...]}Do not send sensitive or regulated text unless you trust the service and understand its privacy and retention practices.