ClawHub

Openwrt Router

Security checks across malware telemetry and agentic risk

Overview

This skill is a real OpenWRT router management helper, but it gives an agent broad router-admin command execution over plaintext HTTP with weak scoping and credential-handling guidance.

Install only if you are comfortable letting an agent use administrator credentials to run commands on your OpenWRT router. Prefer HTTPS LuCI access, avoid saving router passwords in plain text agent files, and require explicit approval before any command that changes configuration, installs packages, or restarts services.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill performs shell-capable actions but does not declare permissions or constrain those capabilities. This reduces transparency and makes it easier for an agent or reviewer to underestimate that the skill can execute commands against a remote router, increasing the chance of unsafe use.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The manifest frames the skill as router monitoring/management, but the implementation exposes arbitrary remote shell execution via LuCI RPC sys.exec. That mismatch is dangerous because users and orchestrators may grant trust appropriate for a monitoring skill while the skill can run any command on the router with root-level effect.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The README explicitly documents use of LuCI RPC `sys.exec` to run arbitrary shell commands on the router, while the skill is presented primarily as a management/monitoring tool. This materially expands capability from read-oriented administration to full remote command execution, which can enable complete device compromise, persistence, configuration tampering, and lateral movement if the agent is induced or allowed to issue unsafe commands.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The documented feature set includes software installation, which is a state-changing administrative action beyond the skill metadata's emphasis on management/monitoring and device visibility. This mismatch is dangerous because users or higher-level policy systems may trust the skill as observational when it can actually modify router software and behavior.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Exposing `opkg update && opkg install <pkg>` gives the agent a direct path to alter the router's software stack, which is not clearly justified by the stated monitoring-centric purpose. On a network edge device, unintended package installation can introduce supply-chain risk, destabilize routing/firewall behavior, or install tooling that broadens compromise.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
Documenting use of LuCI RPC sys.exec means the skill can execute arbitrary shell commands on the router, which is far broader than normal monitoring. In the OpenWRT context this likely runs with highly privileged access, enabling configuration tampering, data exfiltration, service disruption, or persistence if misused.

Context-Inappropriate Capability

Medium
Confidence
76% confidence
Finding
Inspecting installed software/packages is outside the stated purpose of device/client monitoring and expands the intelligence the skill can gather from the router. While not as severe as arbitrary execution itself, this broadens reconnaissance value and weakens the principle of least functionality.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The wording suggests a safer alternative to SSH/telnet, but the documented LuCI RPC usage still executes shell commands remotely. That framing can mislead users into believing the skill has limited management scope when it actually provides a comparable remote command channel.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The script exposes LuCI RPC `sys.exec` and uses it as the core primitive for all router interactions, which gives arbitrary shell execution on the router rather than limiting itself to read-only monitoring APIs. In the context of a skill described as LuCI-only management/monitoring with no SSH dependency, this is substantially more dangerous because any future action or user-influenced input reaching `rpc()` can run unrestricted commands with router privileges.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The implemented capability is broader than the skill's stated purpose: a monitoring-oriented router skill should not need a general remote shell execution primitive. This mismatch increases risk because the skill can be repurposed for configuration tampering, package installation, persistence, or data exfiltration on the router while presenting itself as a benign monitoring tool.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README describes remote shell-command execution and router modification pathways without clearly warning that these operations can change or break a critical network device. In an agent context, lack of risk disclosure increases the chance that users treat the skill as harmless monitoring and authorize actions that have destructive administrative consequences.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README shows plaintext router usernames and passwords embedded in configuration examples without guidance on secure secret storage. Because router credentials grant administrative access to a network perimeter device, storing them in markdown, config files, or agent workspace data can lead to credential leakage and full router takeover.

Vague Triggers

Medium
Confidence
73% confidence
Finding
The trigger conditions are broad enough to overlap with ordinary conversation about home networking, increasing the chance the skill activates when the user did not intend router access. In this skill, accidental activation is more dangerous because activation can lead to credential use and remote execution on infrastructure equipment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill documents HTTP login and cookie-based authentication without warning that credentials and session tokens may traverse the network in cleartext. In a router-management context, interception of the password or sysauth token could grant direct administrative access to the device and any reachable downstream network.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script sends the router password to LuCI over plain HTTP, allowing anyone on the same network path to intercept credentials and session cookies via sniffing or man-in-the-middle attacks. Because this is router-admin access, compromise can lead to full control of the network device and downstream traffic manipulation.

External Transmission

Medium
Category
Data Exfiltration
Content
## 概述

通过 LuCI RPC API 远程管理 OpenWRT 路由器,无需 SSH 或 telnet。使用 curl + HTTP Cookie 认证,通过 `cgi-bin/luci/rpc/sys` 接口执行 shell 命令。

## 原理
Confidence
93% confidence
Finding
curl + HTTP Cookie 认证,通过 `cgi-bin/luci/rpc/sys` 接口执行 shell 命令。 ## 原理 ### 认证流程 1. 用用户名/密码 POST 登录 LuCI 登录页面 2. 保存返回的 `sysauth` cookie 3. 用 cookie + RPC API 执行命令 ### RPC API 地址 ``` POST http://<rou

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
SYS_AUTH=$(grep sysauth /tmp/luci_cookies.txt | awk '{print $NF}')
curl -s -m 10 -b /tmp/luci_cookies.txt \
  -H "Content-Type: application/json" \
  -X POST "http://<router_ip>/cgi-bin/luci/rpc/sys?auth=$SYS_AUTH" \
  -d '{"method":"exec","params":["<command>"]}'
Confidence
92% confidence
Finding
curl -s -m 10 -b /tmp/luci_cookies.txt \ -H "Content-Type: application/json" \ -X POST "http://<router_ip>/cgi-bin/luci/rpc/sys?auth=$SYS_AUTH" \ -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal