ClawHub

OpenRouter Analytics

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a legitimate OpenRouter analytics helper, but it handles OpenRouter credentials and can export sensitive usage data to local CSV files.

Install only if you are comfortable letting the skill use your OpenRouter API or management key. Prefer a least-privilege key, keep .env files private, verify which credential source is being loaded, and export CSV reports only to a deliberate non-sensitive path.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
97% confidence
Finding
The skill instructs users to run a Python script that uses environment variables, reads local .env files, performs network calls to OpenRouter, and writes output such as CSV files, yet the skill declares no permissions. This creates a transparency and consent problem: users may provide sensitive management keys or allow file/network access without an explicit permissions declaration, increasing the risk of unintended credential exposure or overbroad execution.

Context-Inappropriate Capability

Low
Confidence
90% confidence
Finding
The script explicitly states it will auto-load credentials from local .env files, which expands its access to local secrets beyond values the user deliberately passed on the command line. In a troubleshooting skill, silently reading ~/.openclaw/.env and the current directory .env can cause unintended secret use and makes the skill operate on credentials the user may not expect it to access.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The documentation states that the script auto-loads credentials from ~/.openclaw/.env and the current directory .env, but it provides no caution about secret handling, scope of loaded variables, or the sensitivity of management keys. In this context the risk is real because the skill is specifically designed to use high-value OpenRouter management and API keys, so silent credential loading can lead to accidental misuse, leakage into logs, or use of the wrong credentials.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The CSV export writes potentially sensitive activity analytics to any user-supplied filesystem path without confirmation, path restrictions, or warning about the sensitivity of the exported data. This can lead to accidental overwrites of local files or persistence of billing, model, provider, and usage data in locations that are less protected than the API response path.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Before parsing user arguments, the script silently reads ~/.openclaw/.env and the current directory .env, importing any matching secrets into the process environment. This hidden credential discovery broadens local data access and makes the tool more dangerous in agent contexts, where users may not realize the skill will inspect local secret files as part of normal execution.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal