ClawHub

Intelligent Router Openclaw

Security checks across malware telemetry and agentic risk

Overview

This router appears purpose-aligned, but it persistently changes agent instructions and can use local provider credentials for live model tests, so it needs user review before installation.

Install only if you want this router to become part of standing agent policy. Review the AGENTS.md block before applying it, back up AGENTS.md and config.json, avoid the hourly cron unless you want ongoing model probing, and run discovery with --no-live unless you are comfortable using configured provider credentials and possible paid API calls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The installation section explicitly states that the skill patches AGENTS.md so the protocol is always in context, which is a self-modifying persistence mechanism beyond ordinary routing guidance. Persistently altering agent instructions can silently change future behavior across sessions and other tasks, making mistakes or abuse harder to detect and reverse.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The auto-discovery feature performs provider scanning and live inference tests by reading local OpenClaw configuration and sending prompts to configured models, which goes beyond passive routing. This introduces privacy, billing, and operational risk because simply enabling the feature can generate external traffic, test credentials, and reveal what providers or models are configured.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Patching AGENTS.md is not necessary for a router to classify tasks or recommend models; it gives the skill a durable mechanism to influence future agent behavior. In security terms, that is instruction-surface modification and persistence, which can amplify the impact of misconfiguration or later abuse.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Reading ~/.openclaw/openclaw.json and conducting live model probing introduces credential-adjacent discovery and outbound network testing that are broader than the declared routing role. Even if intended for health checking, these actions can leak metadata about providers, incur cost, or trigger external requests unexpectedly.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The installer writes persistent policy content into AGENTS.md at the repository root or a fallback path under $HOME, which changes agent behavior outside the narrow scope of a simple model-routing utility. This is dangerous because it silently alters global or repo-level instructions that may influence future agent actions and trust boundaries, creating a form of policy injection with broader effect than users may expect from installation.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The script installs a persistent hourly cron job that executes a model-refresh action, expanding the skill from on-demand routing into continuous autonomous behavior. Even if the task is nominally maintenance-related, persistence and scheduled execution increase attack surface because any compromise of the referenced script or path will be re-triggered automatically without further user approval.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Provisioning persistent scheduler state via OpenClaw cron is broader capability than the stated purpose of model routing and creates durable behavior outside the immediate user action. In agent environments, persistent jobs are sensitive because they can continue operating, mutate state, or invoke future commands after the original setup context is gone.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation presents auto-discovery and auto-update as convenience features but does not prominently warn that they modify configuration and generate network traffic to external providers. Insufficient warning undermines informed consent and can cause unexpected billing, environment changes, or operational noise when users enable the feature or install the associated cron job.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script appends a substantial instruction block to AGENTS.md without prompting the user or showing a diff first. This is dangerous because AGENTS.md is a high-influence policy file for agent behavior, so silent modification can change operational decisions, increase costs, or override local team expectations without informed consent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The live discovery path silently sends authenticated network requests to every configured provider using stored API keys. Even though this is functionally intended, it can incur charges, contact external services the user did not expect, and leak model/provider usage metadata without a prominent disclosure at the point of execution.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
When --auto-update is supplied, the script rewrites config.json immediately without an additional confirmation prompt or backup step. In an agent or automation context, this can silently alter routing behavior, remove unavailable models, or persist incorrect state if discovery results are incomplete or manipulated.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal