Back to skill

Security audit

Infinity Router

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed model-routing utility, but it can use OpenRouter keys, edit local AI configuration, and optionally run a watcher that restarts OpenClaw.

Install only if you want a local tool that can use your OpenRouter API key and edit OpenClaw or Claude Code model settings. Use a dedicated OpenRouter key where possible, protect auth-profiles.json, review the installer before running it, and avoid watch/daemon or --notify modes unless you are comfortable with automatic model rotation, OpenClaw restarts, and sharing rotation events with the webhook endpoint.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill documentation instructs use of environment variables, file reads/writes, network access, and shell commands, yet no permissions are declared. This creates a transparency and consent problem: an agent may invoke a skill with broader operational reach than users or the platform expect, increasing the chance of unsafe file modification, key handling, or command execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The stated purpose is model routing/configuration, but the skill also describes daemonized monitoring, log tailing, automatic rotation, optional webhook POSTs, installation into /usr/local/bin, and gateway restarts. This mismatch hides materially more powerful behavior than the summary suggests, which can lead to unexpected persistence, outbound communications, and service disruption in environments where the skill is trusted for a narrower task.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The watch command accepts an arbitrary webhook URL and passes it to the watcher for POST notifications, creating an outbound network primitive not clearly justified by the skill's routing-only description. In agent environments, arbitrary webhooks can enable unintended data egress, internal network access attempts, or covert signaling if logs or model identifiers are included in notifications.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The watcher harvests an OpenRouter API key not only from the environment but also from local config and auth-profile files, which exceeds what a simple log-watching helper would minimally need and is not obvious from the skill description. Expanding secret discovery across unrelated local files increases the blast radius if this component is reused, modified, or compromised, and it normalizes undisclosed credential access.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill can transmit rotation events to an arbitrary webhook, but the manifest/description emphasizes routing and model rotation rather than outbound notifications. Hidden or under-disclosed network egress is dangerous because operators may deploy the skill without realizing it can send operational data to third-party endpoints.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly instructs users to place live OpenRouter API keys in `auth-profiles.json`, which stores credentials in plaintext on disk, but does not warn about file permissions, secret handling, or safer alternatives. This increases the chance of credential exposure through local compromise, backups, dotfile sync, screenshots, or accidental commits.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation tells users that `pick` will auto-configure models and then instructs them to restart the OpenClaw gateway, but it does not clearly warn that this modifies local configuration and affects a running service. In a tool that rewrites config and can later auto-restart services, lack of disclosure can lead to unintended service disruption or misconfiguration.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The activation text uses broad phrases like free AI, OpenRouter, model switching, rate limits, and reducing AI costs, which overlap with many ordinary conversations. Over-broad triggers can cause the skill to activate unexpectedly and perform sensitive configuration-oriented guidance or actions in contexts where the user did not intend to invoke it.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Reading API credentials from environment variables and multiple local auth files without prominent disclosure is a secrecy and transparency issue. Even though the key is used locally for model ranking, undisclosed secret access is risky because users may not expect a watcher utility to inspect auth stores beyond its immediate configuration.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code posts model rotation metadata to any user-supplied webhook URL with no validation, privacy warning, or restriction. Although the payload is small, this still creates unbounded external transmission of operational data and could be abused to exfiltrate internal model usage patterns or support SSRF-style access to internal HTTP endpoints.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.