Back to skill

Security audit

Model Router

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-built for model routing and shows no exfiltration or destructive code, but it needs review because it stores AI provider API keys and encourages sending sensitive work to third-party models without clear privacy guardrails.

Review before installing if you handle private, regulated, or business-sensitive data. Only configure provider keys you are comfortable storing locally, restrict access to ~/.model-router, verify each provider is approved for the data you route, and do not rely on the documented model aliases until the alias-to-model mapping is corrected.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill instructs users to run local Python scripts and shell commands that can write configuration and secret files, but it does not declare corresponding permissions. This creates a transparency and trust gap: users or orchestrators may invoke a skill with side effects on the filesystem or shell without an explicit permission boundary.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The document presents several distinct model personas (GLM, Sonnet, Codex-5.2, Opus) but assigns them the same underlying full ID, which undermines the claimed routing differences in quality, speed, and cost. In a model-routing skill, this can mislead the agent into believing it is isolating tasks to safer or more capable models when it is actually invoking the same backend, causing incorrect trust decisions, cost assumptions, and task handling.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The alias table explicitly maps multiple different aliases to the same full model while earlier sections describe them as meaningfully different options. Because this skill is intended to automatically route tasks across providers and models, the contradiction can cause silent misrouting, inaccurate cost/performance expectations, and false assurance that critical tasks are being delegated to a stronger or isolated model.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases include broad requests such as 'switch model', 'which model should I use', and 'use X model for this', which can match many common prompts outside a narrowly scoped routing workflow. Over-broad activation increases the chance the skill is invoked unexpectedly and causes shell execution, setup prompts, or third-party routing in contexts where the user did not intend it.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill discusses secure local API key storage but does not clearly warn that using configured providers will send prompts, attachments, and possibly sensitive task data to external AI services. In a routing skill, that omission is material because the whole purpose is to forward user tasks to third-party providers, which can create privacy, compliance, and data-governance risks.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The examples encourage sending potentially sensitive content such as emails, production logs, documents, and market-research data to externally hosted models via spawned sessions without any warning, consent step, or data-classification guidance. In a model-routing skill that explicitly supports multiple third-party providers, this omission can lead users to transmit confidential or regulated data to vendors that are not approved for that data type.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.