Back to skill

Security audit

ToolRouter Gateway

Security checks across malware telemetry and agentic risk

Overview

This skill is a broad third-party tool gateway with persistent local caching, and its higher-impact tool access is not scoped tightly enough for automatic trust.

Review this carefully before installing. Use a dedicated low-privilege ToolRouter API key with spending controls if available, avoid sending secrets or regulated data, disable or clear caching for sensitive work, and do not use dynamic scanning, scraping, posting, or account-affecting tools unless each action and target is explicitly authorized.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill dynamically exposes tool names from a remote catalog and states that users can call any ToolRouter tool once discovery completes. This broad invocation scope is risky because a remote service can expand the available action surface at any time, potentially introducing sensitive, high-impact, or unexpected tools without local review or explicit allowlisting.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explains that all calls are proxied to ToolRouter but does not provide a prominent user-facing warning that tool inputs and possibly sensitive data will be transmitted to a third-party API. In a gateway skill that can front many different tool types, this omission is important because users may send URLs, targets, briefs, or research data assuming it stays local.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The skill documents local cache and usage logging behavior but does not clearly warn users that call metadata and response-related artifacts are stored on disk in predictable files. This can create privacy and operational risk if tool names, hashed inputs, timestamps, cost data, or cached outputs reveal sensitive activity or are accessible to other local components.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code persists full tool inputs and full results to a workspace-local JSONL cache by default, with no consent, minimization, or sensitivity filtering. In this skill context, routed tools may handle URLs, research targets, scan targets, briefs, or other potentially sensitive data, so local disk retention creates confidentiality and data-handling risk if the workspace is shared, synced, or later inspected.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The usage log writes tool names, timestamps, and a derived hash of user input to disk without clear disclosure. Although the raw input is not stored here, the metadata can still reveal activity patterns and may enable correlation of repeated sensitive requests, which is a privacy concern in an agent skill handling varied third-party tools.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.