openrouter-perplexity

Security checks across malware telemetry and agentic risk

Overview

This is a simple OpenRouter-backed search skill, though some wording may confuse users by referring to Perplexity.

Install this if you intend to use OpenRouter for web-search-style queries. Treat queries as data shared with OpenRouter, avoid entering secrets or sensitive private information, and monitor OpenRouter API usage or billing. The publisher should clarify the Perplexity/OpenRouter wording to avoid confusion.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The skill metadata claims it uses the Perplexity API, but the implementation actually sends user queries to OpenRouter and requires an OPENROUTER_API_KEY. This mismatch can mislead users and reviewers about where data is transmitted, which matters for trust, billing, data handling, and compliance; in an agent skill, users may unknowingly authorize transmission to a different third party than advertised.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal