ClawHub

Iblai Openclaw Router

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real local model-routing proxy, but it installs a persistent system service and handles API keys and prompt text in ways users should review first.

Review the install script and generated systemd unit before installing. Confirm which API key will be used, prefer a protected secret file or manual key setup over embedding the key in the unit, set ROUTER_LOG=0 for sensitive workloads, and only use apiBaseUrl values for providers you trust.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The installer reads an existing Anthropic API key from OpenClaw auth storage and reuses it automatically. While this may be intended as convenience for setup, it expands the skill's capability into credential access, which is more sensitive than simple model routing and creates risk if the script or routed service is compromised.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The installer performs broader host-administration actions than the skill description suggests, including creating a system service and managing its lifecycle. This mismatch increases security risk because users may not expect privileged persistence-related changes when installing a routing helper, reducing informed consent and auditability.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The script creates and enables a systemd service using sudo, granting persistent host-level execution to the router. Even if the router itself is legitimate, installing a persistent privileged service materially increases the blast radius of any flaw in the service or future unauthorized modification of the deployed files.

Description-Behavior Mismatch

Low
Confidence
84% confidence
Finding
The installer silently rewrites OpenClaw's global configuration to register itself as a provider and modify allowlists. This is not inherently malicious, but undocumented configuration mutation can surprise users, alter trust boundaries, and make rollback or troubleshooting harder.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README encourages users to instruct an agent to clone a repository, execute install/uninstall scripts, and modify system configuration in one step, without emphasizing review or trust boundaries. In an agentic environment, this can lead to arbitrary code execution and persistent host changes from unreviewed remote content.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The manual setup instructs users to extract an API key from a local auth file and embed it into a systemd service definition, creating both credential-handling risk and persistent privileged system modification. This is dangerous because it normalizes reading secrets from local stores and placing them where they may be exposed via process/service metadata or logs.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The install instructions tell the user to execute a shell script that copies files into the user's workspace, creates a systemd service, starts a background listener on port 8402, and registers a model provider, but they do not prominently warn that persistent system changes and a long-running service will be created. This is dangerous because users may execute the installer without understanding that it alters startup behavior, opens a local service endpoint, and changes model-routing behavior across OpenClaw workloads.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The detected API key is embedded directly into a systemd unit file as an environment variable. This can expose the secret to users or processes able to read unit definitions or inspect service configuration, and it leaves sensitive material in plaintext on disk without warning.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The router forwards full user requests to an upstream model provider and also logs a preview of request content locally. In a proxy skill that may handle prompts containing secrets, credentials, personal data, or proprietary text, this creates a real confidentiality risk because sensitive content is disclosed to external services and local logs without any consent, redaction, or warning mechanism.

Ssd 3

Medium
Confidence
97% confidence
Finding
The code logs the first 80 characters of extracted request text, which can easily include secrets, API keys, personal information, or confidential prompts. Even truncated logs are risky because many sensitive values appear near the beginning of requests, and logs often have broader retention and access than the live request path.

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
EOF

# 3. Start the router
sudo systemctl daemon-reload
sudo systemctl enable --now iblai-router

# 4. Verify it's running
Confidence
91% confidence
Finding
sudo

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
# 3. Start the router
sudo systemctl daemon-reload
sudo systemctl enable --now iblai-router

# 4. Verify it's running
curl -s http://127.0.0.1:8402/health | jq .
Confidence
90% confidence
Finding
sudo

Session Persistence

Medium
Category
Rogue Agent
Content
# 3. Start the router
sudo systemctl daemon-reload
sudo systemctl enable --now iblai-router

# 4. Verify it's running
curl -s http://127.0.0.1:8402/health | jq .
Confidence
88% confidence
Finding
systemctl enable

Session Persistence

Medium
Category
Rogue Agent
Content
cd ~/.openclaw/workspace
git clone https://github.com/iblai/iblai-openclaw-router.git router

# 2. Create the systemd service
sudo tee /etc/systemd/system/iblai-router.service > /dev/null << EOF
[Unit]
Description=iblai-router - Claude model routing
Confidence
90% confidence
Finding
Create the systemd service sudo tee /etc/systemd/system/iblai-router.service > /dev/null << EOF [Unit] Description=iblai-router - Claude model routing After=network.target [Service] Type=simple ExecS

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal