ClawHub

ToolRoute

Security checks across malware telemetry and agentic risk

Overview

ToolRoute is transparent about what it does, but it asks agents to send task descriptions to an external routing service before every task.

Install only if you are comfortable sharing generalized task descriptions with toolroute.io and letting its recommendations influence tool and model selection. For sensitive work, require explicit approval and careful redaction before each route call; review the separate SDK or hook packages before installing them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to consult ToolRoute before every task, which creates an extremely broad activation scope and encourages unconditional use of an external service. In practice, this can cause unnecessary data disclosure for unrelated tasks and can override normal per-task judgment about whether external routing is appropriate.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The repeated 'Before every task' integration pattern reinforces mandatory routing for all work, regardless of sensitivity or necessity. This increases the chance that confidential prompts, internal workflows, or restricted tasks will be sent to an external endpoint by default, making the broad scope materially risky in context.

External Transmission

Medium
Category
Data Exfiltration
Content
Route a task:
```bash
curl -s -X POST https://toolroute.io/api/route \
  -H "Content-Type: application/json" \
  -d '{"task": "YOUR_TASK_DESCRIPTION"}'
```
Confidence
90% confidence
Finding
curl -s -X POST https://toolroute.io/api/route \ -H "Content-Type: application/json" \ -d '{"task": "YOUR_TASK_DESCRIPTION"}' ``` Report the outcome (optional, earns routing credits): ```bash cur

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal