ClawHub

Sage Router

Security checks across malware telemetry and agentic risk

Overview

Sage Router is a real local model router, but it also includes high-impact credential, tunnel, billing, analytics, and browser-cookie proxy features that need careful review before use.

Install only if you intend to run a powerful local router that handles provider credentials and possibly browser-session cookies. Keep it bound to localhost or a private network, set SAGE_ROUTER_CLIENT_AUTH_REQUIRED=1 with strong SAGE_ROUTER_CLIENT_API_KEYS before any tunnel or shared deployment, avoid Grok SSO/browser-cookie mode unless you accept session-token risk, restrict /health and debug access, and disable hosted billing/analytics/tunnel features unless you explicitly need them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (35)

Tainted flow: 'request' from os.environ.get (line 609, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
logger.info("Cookie notes: %s", notes)

    try:
        with urllib.request.urlopen(request, timeout=UPSTREAM_TIMEOUT_SECONDS) as response:
            raw = response.read()
    except urllib.error.HTTPError as exc:
        body_text = exc.read().decode("utf-8", "replace")[:4000]
Confidence
98% confidence
Finding
with urllib.request.urlopen(request, timeout=UPSTREAM_TIMEOUT_SECONDS) as response:

Tainted flow: 'content' from os.environ.get (line 7044, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
if content.startswith("http"):
                import base64
                try:
                    img_data = urllib.request.urlopen(content, timeout=30).read()
                    images.append(base64.b64encode(img_data).decode())
                except: pass
            else:
Confidence
99% confidence
Finding
img_data = urllib.request.urlopen(content, timeout=30).read()

Tainted flow: 'img_url' from os.environ.get (line 6397, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
if img_url.startswith("http"):
                            import base64
                            try:
                                img_data = urllib.request.urlopen(img_url, timeout=30).read()
                                images.append(base64.b64encode(img_data).decode())
                            except: pass
    req_payload = {"model": model, "prompt": prompt, "images": images if images else None, "stream": False}
Confidence
99% confidence
Finding
img_data = urllib.request.urlopen(img_url, timeout=30).read()

Context-Inappropriate Capability

High
Confidence
90% confidence
Finding
This code unlocks Bitwarden and retrieves stored credentials, which materially expands the privilege and secret-access scope of the skill beyond simple routing. In the context of a 'local-first model router,' adding vault-unlock and credential retrieval creates a high-risk secret-access capability that could expose credentials if the service is misused, logged, or compromised.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code reads and decrypts Chromium/Brave browser cookies directly from the user's profile, harvesting session material intended for browser-only authentication. In this skill context, that is especially dangerous because it silently converts local browser sessions into reusable API credentials and increases the risk of credential theft, unauthorized account use, and privacy loss.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The health endpoint exposes sensitive operational metadata including browser profile paths, cookie source, and cookie-name inventory. Even if it does not reveal cookie values, this information helps an attacker map the host environment, confirm the presence of specific auth artifacts, and target follow-on attacks; the risk is amplified because the service is an auth-bearing proxy.

Description-Behavior Mismatch

High
Confidence
89% confidence
Finding
The skill is described as a local-first router, but the code includes billing, customer management, analytics mirroring, and payment handling. This mismatch is dangerous because operators may deploy it with a lower trust posture than warranted, while the code processes identities, credentials, and external telemetry flows not implied by the stated purpose.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The router goes beyond passive model routing and can manage services and spawn helper processes (`systemctl`, `dario`, `node`). In a network-exposed agent skill, this materially expands the attack surface because remote requests can indirectly trigger local process execution and service state changes, increasing the blast radius of any routing or config abuse.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
Comments assert that the router does not collect user identities, yet the implementation can create and persist customer records with user IDs and emails. This kind of contradictory trust signaling is risky because it can mislead reviewers and operators about privacy and compliance exposure.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This script creates a persistent WebSocket tunnel to a remote relay and forwards arbitrary remote 'chat.completions' jobs into a locally reachable model service, then returns the responses back out. That is effectively remote exposure of a local AI endpoint, which expands the trust boundary well beyond a 'local-first' router and can enable unauthorized use, prompt/data exfiltration, and abuse of any local model access the host has.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The environment variables and connection setup show this file is designed as a backhaul connector to a remote service, not merely local model routing. In the context of an agent skill advertised as local-first, this hidden remote bridge materially increases risk because it allows remote parties controlling the relay to drive local inference and potentially access sensitive prompts, outputs, or paid/provider-backed capabilities exposed through the local router.

Context-Inappropriate Capability

Low
Confidence
88% confidence
Finding
The page loads third-party resources from Google Fonts and jsDelivr, which creates outbound network dependencies and expands the trust boundary of a supposedly local-first product. If those external resources are unavailable, tampered with, or used for tracking, users may be exposed to privacy leakage or supply-chain risk, especially because the Supabase library can influence authentication flows.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script proactively searches a user's local rclone configuration for a Google service account file and then uses it for an external API call. That credential discovery is unrelated to the advertised routing function, violates least surprise, and can cause unintended use of sensitive local credentials if a user runs the script in a trusted context. In this skill context, the mismatch makes the behavior more suspicious because it reaches into unrelated local config to obtain cloud credentials.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The deployment guide instructs users to expose the service through a Cloudflare Tunnel and explicitly use the returned public URL as an API base endpoint, but it does not warn that this makes the router remotely reachable and may expose prompts, metadata, or downstream model access to anyone who can reach that URL. The statement that this gives a 'permanent' trycloudflare URL is also misleading and may encourage unsafe assumptions about access control and persistence.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide tells users to mount ~/.openclaw or store openclaw.json in a secrets/config location without explaining that these files may contain provider API keys, tokens, routing rules, or user-specific sensitive configuration. This can lead to accidental credential exposure through overly broad volume mounts, weak secret handling, or publishing sensitive files into hosted environments.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation instructs users to supply live Grok session cookies or read them directly from a Chromium browser cookie database, but it does not warn that these values are authentication credentials equivalent to account access tokens. In an agent skill context, normalizing cookie extraction and reuse increases the chance of credential theft, account misuse, or accidental disclosure through logs, files, environment variables, or prompts.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README clearly promotes automatic routing across multiple third-party providers and highlights debug/health visibility, but it does not prominently warn users that prompts, attachments, and routing metadata may leave the local machine when non-local providers are configured. In a router intended to sit in front of many agent tools, that omission can cause users to unintentionally transmit sensitive data to external APIs under the assumption that the system is effectively local-first by default.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The debug and health sections describe exposing selected provider/model, last route decision, attempt history, rejection reasons, and adding router metadata into responses, but they do not warn that these features may reveal recent request details or internal routing information to users, downstream clients, logs, or other local consumers. For agent workflows handling secrets, proprietary prompts, or internal topology, that can create an unintended information disclosure path.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The skill references provider auth data, API keys, and credential-driven routing behavior without a prominent warning about secret handling and privacy implications. This can lead users to expose provider credentials or route sensitive prompts through third-party services without understanding the risk.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The skill advertises a local endpoint but also describes routing to multiple providers, including centralized internet APIs and compatibility bridges, without a clear user-facing warning that prompts may leave the machine. In context, this is more dangerous because the 'local-first' framing may cause users to assume requests remain local when some profiles explicitly permit external routing.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation includes a ready-to-run authenticated Stripe checkout request that can initiate a billing flow using a live user bearer token, but it does not warn readers that executing it may create a billable checkout session or subscription-related side effect. In an agent-oriented product, examples are more likely to be copied or executed automatically, which increases the chance of unintended account or billing actions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README promotes hosted relay analytics and request forwarding while emphasizing privacy, but it does not clearly warn that the relay can still observe metadata such as IPs, timing, request sizes, routing patterns, and possibly prompt/response content unless explicitly disabled or minimized. In a security-sensitive routing product, this omission can mislead users into overestimating privacy guarantees and cause accidental disclosure through the hosted control plane.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The health endpoint leaks implementation and environment details without any access control. In a service handling browser-derived authentication cookies, such disclosure materially increases reconnaissance value and can reveal where secrets are sourced and stored.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The proxy forwards browser/session cookies upstream as part of its core function, but the file provides no technical safeguard ensuring explicit user consent or limiting where those cookies can go. In this context, the behavior is sensitive because the cookies are browser-derived SSO credentials and are combined with prompt contents, creating privacy and account-abuse risk if configuration is unsafe or users are unaware.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This file configures many third-party model providers but does not disclose that user prompts, attachments, and related metadata may be transmitted off-host to external APIs. In a local-first routing skill, that omission is security-relevant because users may reasonably assume data stays local unless explicitly warned otherwise.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal