Spendex AI Router
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent LLM-routing skill, but using it means your prompts and provider/API credentials go through Spendex.
Before installing, confirm you trust Spendex with your prompts and provider keys, set spending limits, and avoid sending sensitive data unless its privacy and retention policies meet your needs.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
LLM requests may be handled by Spendex instead of the platform's normal provider path, potentially affecting cost, latency, and routing behavior.
The skill uses curl to call an external chat-completions API. This is expected for an AI router, but it is still an external tool/API path the agent may use.
curl -s -X POST "https://app.spendexai.com/v1/chat/completions" ... -H "Authorization: Bearer $SPENDEX_API_KEY"
Install only if you want Spendex to route LLM calls, and monitor usage/budgets after enabling it.
If the Spendex account or stored provider keys are misused, the user could incur provider costs or expose account access.
The setup asks users to give Spendex access to provider API keys. That is purpose-aligned for a router, but those credentials can spend money and access provider accounts.
Bring Your Own Keys — connect your existing OpenAI, Anthropic, Google, Mistral, DeepSeek, Groq, Together, Fireworks, Cohere keys in the Spendex dashboard.
Use least-privileged provider keys where possible, set provider-side spending limits, enable Spendex budgets, and rotate keys if you stop using the service.
Prompts, chat history, and any sensitive information included in them may be sent to Spendex and downstream model providers.
The skill directs prompt content and conversation history through Spendex and whichever provider it selects. This is central to the service, but it expands the data boundary.
route the request through Spendex instead of calling providers directly ... For conversations with history, include the full message array
Avoid using this skill for confidential prompts unless you trust Spendex's and the selected providers' data handling, retention, and privacy practices.