ZeroAPI Router

Security checks across malware telemetry and agentic risk

Overview

No malicious behavior was verified; the main unresolved issue is an advisory report about local logging of sensitive routing metadata.

Before installing, check whether this package creates local routing/debug logs and whether those logs include account IDs, auth profile names, model choices, or free-form reasons. If present, keep logs private, avoid sharing them in support bundles, and look for a way to disable, rotate, or redact them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The code persistently logs routing metadata, including agent identifiers, auth profile overrides, selected account IDs, model choices, risk values, and free-form reasons, to a local file without any visible consent, minimization, redaction, retention control, or access restriction. Even if intended for debugging, this creates a privacy and security exposure because sensitive operational and identity metadata may be stored in plaintext and later accessed by unauthorized users, bundled into support artifacts, or retained longer than expected.

VirusTotal

62/62 vendors flagged this plugin as clean.

View on VirusTotal