ClawHub

Venice.Ai Router Openclaw

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent Venice.ai router, but its private-only privacy promise is not reliably enforced and sensitive prompt or tool data can be sent or printed in ways users may not expect.

Review this skill before installing if you handle confidential data. Use a dedicated Venice API key with spending limits, avoid relying on private-only until the model-selection bug is fixed, and do not pass secrets through prompts, conversation files, or tool arguments unless you accept that they may leave the machine or appear in logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The code explicitly documents `private-only` as restricting execution to private zero-retention models, but if a tier has no private candidates it silently falls back to all models, including non-private ones. This creates a trust-boundary violation where sensitive prompts may be sent to providers the user explicitly tried to avoid, undermining privacy guarantees and potentially causing confidential data disclosure.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The CLI advertises `--private-only` as "Only use private models (zero data retention)", but downstream selection logic can still choose non-private models because the enforcement is not strict. Misleading users into believing their data remains within zero-retention providers materially increases the risk of sending sensitive content to external non-private backends.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The README explains privacy modes and notes that requests may be proxied to external providers, but it does not give a prominent warning that default or anonymized routing can send prompts and conversation history outside Venice-hosted infrastructure. In a routing skill marketed heavily around privacy, this omission can mislead users into sending sensitive data under false assumptions, especially when conversation history and tool data may be included.

Natural-Language Policy Violations

High
Confidence
96% confidence
Finding
The README explicitly markets the platform as 'uncensored' with 'no content filters, no refusals,' which encourages use of the skill to bypass safety controls. In an agent skill context, that materially increases the likelihood of harmful or policy-violating outputs because the documentation frames safeguard removal as a product advantage.

Natural-Language Policy Violations

High
Confidence
97% confidence
Finding
The CLI example exposes an explicit uncensored mode and describes it as having 'no content filters, no refusals,' normalizing deliberate safety-bypass behavior. Providing a concrete command-line recipe makes misuse easier and lowers the barrier to generating harmful or disallowed content.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The description is very broad and includes generic intents like chatting, sending prompts, smart model selection, privacy, web search, and tool use, which makes accidental or over-broad invocation more likely. In an agent ecosystem, this can route sensitive user requests to an external service unexpectedly, especially because the skill is user-invocable and positioned as a general-purpose chat/router.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README promotes conversation-aware routing and use of conversation history, but it does not clearly warn that prompts, attached conversation context, tool definitions, and possibly sensitive text may be transmitted to Venice.ai. This is especially risky because the skill markets privacy and 'private-only' mode, which may cause users to underestimate that data still leaves the local environment and is sent to an external provider.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Streaming tool call handling prints full function names and raw arguments to stderr. Tool arguments can contain secrets, PII, internal URLs, tokens, or user content inferred by the model, so this behavior can leak sensitive data into shell history captures, logs, CI output, or observability pipelines.

Ssd 1

Medium
Confidence
93% confidence
Finding
The marketing language treats refusals and safety filters as undesirable obstacles and positions the skill as a way around them. Even though this is documentation rather than executable code, it semantically encourages safety-control evasion and can shape deployments toward less safe operating modes.

Ssd 1

Medium
Confidence
94% confidence
Finding
The uncensored-mode usage example presents disabling safeguards as a normal feature for obtaining content mainstream providers may block. In context, this is more dangerous because the skill is a router that can make such access convenient and repeatable for end users.

Ssd 1

Medium
Confidence
91% confidence
Finding
The configuration table and CLI help repeatedly describe uncensored models as a preferred option for avoiding filtering, reinforcing safety-bypass semantics throughout the documentation. Repetition across setup and help text increases the chance that deployers will enable the feature by default or misunderstand its risk.

Ssd 3

Medium
Confidence
95% confidence
Finding
Echoing tool call arguments to stderr creates a plain-text disclosure channel independent of the API transport. Even if the upstream provider is trusted, secrets can be exposed locally to logs, terminal recorders, support bundles, or other users with access to process output.

Ssd 3

Medium
Confidence
95% confidence
Finding
The non-streaming response path also prints complete tool call arguments, duplicating the same data exposure risk in another execution mode. This broadens the leak surface because sensitive arguments may be logged regardless of whether streaming is enabled.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal