Back to skill

Security audit

Cn Llm Router

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local command-line router for Chinese LLM providers, with expected use of environment API keys, provider network calls, and local cost/cache databases.

Install only if you are comfortable sending prompts to the LLM providers you configure and storing prompt/response cache plus usage metadata locally under ~/.cn_llm_router. Use --no-cache for sensitive prompts, run cache clear when needed, and review config settings before enabling update_url or wecom_webhook.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill explicitly describes capabilities to read environment variables, read and write local files (SQLite cache/cost DB, config), and make outbound network requests to multiple model providers, yet the metadata shown in this file does not declare corresponding permissions. Undeclared capabilities reduce user visibility and policy enforcement, which is risky because the skill handles API keys and can transmit prompts off-host.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
`_ws_chat()` references `websocket.create_connection` but `websocket` is only imported as a local variable inside `chat()`. Because local imports are not visible to other methods, this can cause a runtime failure (`NameError`) when `_ws_chat()` executes, breaking the adapter's documented on-demand dependency handling and creating an easy denial-of-service condition for this code path. In a router skill that centrally brokers multiple LLM providers, reliability faults in one adapter can disrupt automated provider selection and fail requests unexpectedly.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The activation description contains broad triggers such as wanting to call domestic LLMs, compare models, manage multiple keys, or avoid vendor lock-in, which can overlap with many ordinary user requests. Overbroad invocation can cause the skill to engage unexpectedly in contexts involving credentials, network calls, or local caching, increasing the chance of unintended data handling.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document specifies persistent local logging of every model call to a SQLite database, including task metadata, token counts, cost, latency, and success status, but does not mention user notice, retention limits, redaction, or opt-out controls. Even if prompt/response bodies are not explicitly listed here, task-level metadata can still reveal sensitive user activity patterns, business workflows, and model usage history, especially on shared or managed endpoints.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.