free-model-router-laodao

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a real local model router, but its local admin server and updater have broad power that should be reviewed before installation.

Install only if you are comfortable running a persistent localhost router that can modify OpenClaw config, store provider keys locally, contact freemodel servers, and expose an admin API trusted by localhost. Keep it bound to 127.0.0.1, avoid exposing it through proxies or tunnels, review the admin update feature carefully, and disable reporting unless you explicitly want health/diagnostic data sent upstream.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (32)

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The `checkAuth` function grants `authorized: true` for any request identified as local via `isLocalAccess`, bypassing all token-based authentication for `/admin` and `/api` routes. This is dangerous because localhost and proxy trust assumptions are frequently broken in real deployments through SSRF, reverse-proxy misconfiguration, container networking, or exposure via a trusted proxy, leading to full administrative access without credentials.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: This admin UI includes a self-update flow that can trigger system update actions and even presents a shell one-liner to fetch and execute a remote install script (`curl ... | bash`). That creates a high-risk code-execution path because update infrastructure compromise, MITM, or social engineering could lead administrators to run unverified code on the host.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The page explicitly bypasses administrator authentication for "local access" by redirecting directly to the admin panel when `isLocalAccess` is true. Trusting network origin as an authentication factor is dangerous because local access can be spoofed or reached through SSRF, reverse proxies, container/host networking, or other misconfigurations, resulting in unauthorized administrative access.

Intent-Code Divergence

Low

Confidence: 84% confidence
Finding: The code trusts a client-visible status response and automatically redirects local users away from admin setup based on `isLocalAccess`, while the comment explicitly states local access is password-free. If the server actually grants privileged access on the basis of locality, this creates a dangerous authentication bypass model, especially in environments with proxies, container networking, or SSRF-style access paths where 'local' can be misidentified.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: This module generates a stable per-installation deviceId and a deterministic system fingerprint derived from hostname, home directory, platform, and architecture. Even if intended for routing or diagnostics, these identifiers enable persistent correlation of a user or machine across sessions without an obvious need tied to the stated skill purpose, creating a tracking/privacy risk that becomes more concerning in a networking/router skill that may communicate with external providers.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: This logger is not limited to local diagnostics: `logRequestSummary()` conditionally calls `_sendToModelServer()` and uploads telemetry to a remote host (`https://freemodel.eu.org` by default). Because the uploaded object contains request metadata such as endpoint, routing/pass-through state, attempts, latencies, and potentially provider/model identifiers, this creates an external data exfiltration path inconsistent with a purely local monitoring role and can leak operational metadata without clear user consent.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: `_sendToModelServer()` sends monitoring payloads to an external endpoint and includes `X-Api-Key` sourced from local configuration on every request. Even if intended for authentication, transmitting an API key together with telemetry expands the trust boundary, exposes credentials to a remote service, and increases the consequences of endpoint compromise, misconfiguration, or undisclosed third-party collection.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The file implements account-like and monetization-related capabilities such as API key registration, referral code application, Pro credit lookup, provider redemption, and update checks, but the stated description does not disclose these features. Hidden account/credit behaviors are security-relevant because they expand trust boundaries and introduce undisclosed interactions with remote infrastructure.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The file implements account-like and monetization-related capabilities such as API key registration, referral code application, Pro credit lookup, provider redemption, and update checks, but the stated description does not disclose these features. Hidden account/credit behaviors are security-relevant because they expand trust boundaries and introduce undisclosed interactions with remote infrastructure.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: Referral and Pro-credit redemption are unrelated to core model routing and introduce additional remote actions that can affect user accounts, credits, or provider entitlements. In a routing skill context, such unrelated capabilities increase attack surface and create opportunities for abuse or user confusion about what the component is authorized to do.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The code stores feedback locally and transmits feedback/telemetry-related data to remote services, including daily stats snapshots and feedback submission forwarding, but the provided description does not disclose this collection behavior. Undisclosed collection is dangerous because it can leak operational metadata or user-entered content without informed consent, especially in a tool expected to act as a local router.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The code stores feedback locally and transmits feedback/telemetry-related data to remote services, including daily stats snapshots and feedback submission forwarding, but the provided description does not disclose this collection behavior. Undisclosed collection is dangerous because it can leak operational metadata or user-entered content without informed consent, especially in a tool expected to act as a local router.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The /api/shutdown endpoint allows a remote caller with admin access to terminate the process via process.exit(0). Even if authenticated, this is a dangerous remote control capability not essential to routing and can be abused for denial of service if credentials are stolen, auth is bypassed elsewhere, or the service is exposed more broadly than intended.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The /api/shutdown endpoint allows a remote caller with admin access to terminate the process via process.exit(0). Even if authenticated, this is a dangerous remote control capability not essential to routing and can be abused for denial of service if credentials are stolen, auth is bypassed elsewhere, or the service is exposed more broadly than intended.

Context-Inappropriate Capability

High

Confidence: 90% confidence
Finding: This file implements a self-update mechanism that downloads and executes a Windows installer from a URL returned by `serverClient.checkForUpdate()` and directly launches a local `install.sh` via `spawn`. That gives the skill software-installation and arbitrary code execution capability, which is substantially more powerful than a routing/configuration helper and becomes dangerous if the update source, transport, or server response is compromised.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The intent matching includes broad natural-language triggers such as phrases equivalent to 'start configuration', 'stop router', 'uninstall skill', and especially general distress phrases like 'OpenClaw is broken' or 'model unavailable'. Overbroad matching can cause unintended execution of sensitive actions, including setup, shutdown, or diagnostic flows that touch config and provider state, based on ordinary conversation rather than explicit command intent.

Vague Triggers

Medium

Confidence: 79% confidence
Finding: The setup flow is triggered by very generic reply words like '现在设置/开始配置' and '延后设置/稍后再说' without clear scoping to a specific prompt or session state. This can lead to accidental activation of setup and subsequent privileged behavior such as starting the router, editing config, or registering scheduled tasks if those phrases appear in unrelated conversation.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The update flow can be triggered from the modal's confirm button without a meaningful warning about host-level changes, downtime, or trust implications, and then POSTs to `/api/apply-update`. In an admin context this can cause unintended system modification, especially because the feature exceeds the core routing purpose and is coupled with remote-update behavior.

Missing User Warnings

Low

Confidence: 86% confidence
Finding: The update flow can be triggered from the modal's confirm button without a meaningful warning about host-level changes, downtime, or trust implications, and then POSTs to `/api/apply-update`. In an admin context this can cause unintended system modification, especially because the feature exceeds the core routing purpose and is coupled with remote-update behavior.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The update flow can be triggered from the modal's confirm button without a meaningful warning about host-level changes, downtime, or trust implications, and then POSTs to `/api/apply-update`. In an admin context this can cause unintended system modification, especially because the feature exceeds the core routing purpose and is coupled with remote-update behavior.

Missing User Warnings

Low

Confidence: 95% confidence
Finding: API keys and related secrets are stored in plaintext in `router-config.json` via functions such as `setProviderApiKey()` and `setServerApiKey()`. If the local filesystem is accessed by another local user, malware, backups, or misconfigured permissions, those credentials can be stolen and reused against upstream providers.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: API keys and related secrets are stored in plaintext in `router-config.json` via functions such as `setProviderApiKey()` and `setServerApiKey()`. If the local filesystem is accessed by another local user, malware, backups, or misconfigured permissions, those credentials can be stolen and reused against upstream providers.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: API keys and related secrets are stored in plaintext in `router-config.json` via functions such as `setProviderApiKey()` and `setServerApiKey()`. If the local filesystem is accessed by another local user, malware, backups, or misconfigured permissions, those credentials can be stolen and reused against upstream providers.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The code silently writes a persistent device identifier to disk in device-id.json and reuses it on later runs, with no user-facing notice or consent mechanism. This creates hidden state that can be used for long-term tracking or linking activity across sessions, and the skill context does not justify undisclosed persistence for simple model routing/configuration behavior.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The code transmits monitoring data externally when reporting is enabled, but this file provides no user-facing warning, consent prompt, or inline disclosure of what data is sent. In the context of a routing skill that may handle model/provider requests, silent telemetry can surprise operators and lead to unintended leakage of usage patterns or request metadata.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal