YantraRouter

Security checks across malware telemetry and agentic risk

Overview

This is a coherent OpenClaw model-provider plugin that sends agent conversations to Yantra's remote cdecli service, with no artifact evidence of hidden or destructive behavior.

Install only if you are comfortable sending prompts, system prompts, and conversation text to Yantra's cdecli service or to your configured YANTRA_BASE_URL. Use your own endpoint if you need stricter data control, and treat the Yantra API key like any other provider credential.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill forwards system prompts, user messages, session data, and optional API credentials to a remote service at YANTRA_BASE_URL, with a default external endpoint of https://cdecli-agent.cdebase.dev. In an agent/plugin context, prompts often contain sensitive secrets, internal instructions, or proprietary data, so undisclosed transmission to a third-party backend creates a meaningful confidentiality and data-governance risk.

VirusTotal

62/62 vendors flagged this plugin as clean.

View on VirusTotal