ClawHub

Openclaw Router

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its model-routing purpose, but it handles cloud credentials and image uploads with too little scoping and unsafe disclosure patterns.

Install only if you are comfortable with the skill inspecting model-related environment variables and potentially routing prompts or images to configured cloud AI providers. Use a dedicated test API key, avoid secrets or regulated data until provider routing is reviewed, disable or avoid vision/OCR unless needed, and do not share screenshots or logs that show key fragments, endpoints, account IDs, or model inventory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (30)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill advertises behaviors that imply access to environment data, local configuration files, persistent config writes, and networked cloud providers, yet it declares no explicit permissions or user-facing disclosure for those capabilities. This creates a transparency and consent gap: users and host systems cannot accurately evaluate what the skill can access or transmit before enabling it.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
If the skill performs image analysis, OCR, screenshot inspection, and sends image data to external providers while presenting itself only as a routing/cost-optimization tool, users may unknowingly expose sensitive visual data such as documents, credentials, or UI state. Hidden multimodal collection materially expands the data sensitivity and attack surface beyond the declared purpose.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document states the service does not use automated decision-making, but the skill is explicitly described as an intelligent model-routing system. That creates a materially misleading privacy/compliance statement that could invalidate user disclosures and consent under PIPL, especially if routing decisions affect how user data is processed or which providers receive it.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The screenshot example explicitly shows a credential-like value (`sk-5d5ca...`) in a UI intended for documentation screenshots. Even though partially masked, this normalizes capturing and sharing real secrets and can leak identifying prefixes, key formats, provider usage, or insufficiently redacted credentials if users follow the guide literally.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
This section shows multiple real-looking credential identifiers and account details across providers, including API key prefixes, AWS-style access key format, and an Azure endpoint. Publishing screenshots based on this example could disclose sensitive authentication material or infrastructure details, enabling account targeting, phishing, reconnaissance, or direct compromise if redaction is incomplete.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The detector enumerates multiple provider API key presences and collects system resource details, which exceeds the minimum needed unless the skill clearly discloses and justifies this host profiling. Even though it only masks keys rather than exfiltrating full secrets, this still gathers sensitive configuration metadata that can reveal which services the user has access to and details about the host environment.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
This file implements OCR, screenshot inspection, and image understanding with third-party vision APIs, which is materially broader than the stated skill purpose of model routing/cost optimization. Hidden or unjustified capability expansion is dangerous because it can expose sensitive screenshots and documents to external providers without users expecting that behavior.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The module automatically discovers and uses multiple provider API keys from environment variables to enable an undeclared vision capability. While reading API keys is normal for integrations, doing so for a feature outside the advertised scope increases the risk of unauthorized external use and makes the skill more dangerous in context.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly documents automatic detection and use of multiple cloud-provider credentials, but it does not warn users that prompts, context, or other potentially sensitive data may be transmitted to third-party services once routing selects a cloud model. In a model-routing skill, this omission is security-relevant because users may assume local-first behavior while the router silently escalates workloads to external providers, creating privacy, compliance, and data-handling risks.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README states that the router auto-detects cloud providers from credential environment variables, but it does not clearly warn users that the skill may inspect sensitive API credentials present in the environment and use them to activate external integrations. In an agent skill context, this increases the risk of unexpected credential use, accidental outbound connections, and unintentional disclosure of prompts or metadata to third-party services.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README promotes local, cloud, and hybrid deployment modes without warning that cloud or hybrid routing may send user prompts, context, files, or metadata to external model providers. For a routing skill, that omission is security-relevant because users may reasonably assume local handling while the router can forward sensitive data to third parties depending on configuration or detected providers.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill describes cloud routing and user preference learning, but does not warn that prompts, metadata, or learned preference profiles may be sent to third-party model providers or stored locally/remotely. This omission can lead to unintentional disclosure of sensitive user content and creation of behavioral profiles without informed consent.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The submission describes hybrid and cloud deployment modes and names multiple third-party providers, but it does not clearly disclose that user prompts, context, or other data may be transmitted off-device to external services during routing. In a routing skill, this omission is security-relevant because users may assume local handling while sensitive data is actually sent to cloud providers with different retention, logging, and compliance characteristics.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The FAQ says users can use the skill by configuring their own cloud API key, but it does not warn that API keys are sensitive secrets requiring careful storage and handling. This increases the risk of credential leakage through screenshots, logs, shell history, config files, or accidental sharing, which could lead to account compromise and unauthorized billing.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The examples explicitly route prompts to cloud models such as dashscope/qwen3-max but do not warn that user inputs may be transmitted to a third-party provider. In an AI routing skill, examples strongly shape operator expectations; omission of a privacy warning can cause users to send source code, business plans, or personal data externally without informed consent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The hybrid and pure-cloud deployment sections recommend external providers but omit an explicit statement that request contents leave the local environment. Because this skill's core function is model routing, the missing disclosure is more dangerous than in a generic README: users may assume routing is only a cost/quality feature and overlook the confidentiality implications of automatic escalation to cloud services.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The example shows automatic discovery of installed models and configured cloud credentials, including partial API key disclosure (for example, a visible key prefix). Even in documentation, normalizing credential inspection and display can encourage implementations that read sensitive environment variables and echo secrets to users, logs, screenshots, or shared terminals.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This section explicitly documents auto-detection of credentials from multiple providers via environment variables and then shows detection results with partial key values. In an agent skill context, that behavior is more dangerous because the skill may be granted access to the runtime environment, making silent credential enumeration and disclosure a realistic privacy and secret-handling risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The FAQ instructs users to print API keys with `echo $...` and to persist plaintext secrets into `~/.bashrc` without warning about shell history, shoulder-surfing, shared terminal logs, or multi-user host exposure. While common in informal setup docs, this increases the risk of credential leakage and long-lived secret exposure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The FAQ instructs users to display API keys in the shell and then persist them into ~/.bashrc without any warning about shell history, shoulder-surfing, or safer secret storage. This creates a real risk of credential exposure and long-lived secret leakage, especially in shared machines, recorded terminals, or support sessions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide instructs users to analyze screenshots and extract text via third-party cloud APIs, but it does not clearly warn that screenshots and document images may contain secrets, personal data, or internal business information that will be transmitted off-device. In the context of an AI routing skill, this undocumented expansion into cloud-based image processing increases the risk of unintended data disclosure because users may assume the tool only routes text/model requests rather than uploading sensitive visual content.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The guide instructs users to capture screenshots of configured environments but does not warn them to redact secrets first, while the example itself includes a visible key fragment. In a routing skill that interfaces with local and cloud AI providers, this increases the chance that operational credentials will be exposed in shared documentation, issues, or marketing materials.

Missing User Warnings

High
Confidence
99% confidence
Finding
The cloud-provider example aggregates several credential-like strings and service endpoints without any warning to sanitize or mock them. Because this skill is specifically about model routing across multiple cloud providers, exposed screenshots would reveal a high-value concentration of provider access and infrastructure details, making the context more dangerous than a generic UI mockup.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code reads several API key environment variables and returns partially masked values without any visible disclosure in this file. Partial secret exposure is still sensitive because prefixes/suffixes can aid secret identification, correlation across logs, and inadvertent leakage to callers or telemetry systems.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The detector performs an undisclosed HTTP request to a local service to probe for Ollama. Local network probing is a privacy-sensitive action because it reveals information about installed software and can trigger unexpected side effects or logging on the target service, even if the destination is localhost.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal