Security audit

Auto Model Selector

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its model-routing purpose, but it needs review because it can automatically send prompts to a hard-coded private-network Ollama server and route work to cloud models without clear user control.

Install only if you are comfortable with prompts being evaluated by a configured Ollama service and with complex tasks being routed to cloud models. Before use, change the Ollama host to localhost or a trusted server, avoid sensitive prompts unless routing is explicitly acceptable, and review models.json because automatic detection can change future routing behavior.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (5)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README instructs users to configure and use an Ollama host at a network address but does not warn that user prompts may be sent over the network to that host. In an agent skill context, prompts can contain sensitive data, so omitting this disclosure can lead to unintended data exposure to another machine or service on the LAN or beyond.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly states that complex requests are sent to a cloud model API, but it does not warn users that prompts, files, or other sensitive content may leave the local system. In a model-routing skill, this omission is security-relevant because users may assume all processing is local and unknowingly expose confidential data to third-party services.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The documentation says the skill automatically analyzes every user request and switches models per request, but it does not disclose that this routing can change where user data is processed. Automatic switching increases risk because sensitive prompts may be sent off-device without a deliberate user decision at the time of submission.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The skill silently performs a network request to a hard-coded internal IP to enumerate available models, which discloses local environment information without explicit user consent or meaningful notice. In an agent skill context, unexpected outbound or lateral-network probing is more sensitive because it can reveal internal infrastructure details and normalize covert discovery behavior.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The router sends the full user prompt to an HTTP endpoint for complexity classification without any disclosure, consent flow, or data-minimization step. Because prompts may contain sensitive user data and the default host is a private-network service over plain HTTP, this creates a real confidentiality risk through unexpected network transmission and interception.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal