Back to skill

Security audit

Token Router

Security checks across malware telemetry and agentic risk

Overview

Token Router is a disclosed model-selection and cost-optimization skill, with the main caveat that it can remember routing preferences and cost history.

Install this if you want model-routing and token-cost guidance. Before using persistent memory, consider whether you are comfortable with it remembering model preferences, optional budget information, task summaries, feedback, quality scores, and estimated costs for future recommendations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill presents itself as a model-routing advisor but instructs the system to build persistent user profiles and store behavioral history across interactions. This expands scope beyond the user-visible purpose, creating a privacy and data-minimization risk because users may not expect long-term retention of strategy preferences, budget signals, and upgrade history.

Context-Inappropriate Capability

Low
Confidence
81% confidence
Finding
The monthly reporting and cross-session analytics features collect aggregate behavioral data that is not clearly necessary for basic model-routing recommendations. Even if intended for optimization, this increases long-term observability of user behavior and cost patterns, which can expose usage habits or sensitive business metadata if memory is accessed or reused inappropriately.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger rules are overly broad and mandate activation for generic cost-related language, causing the skill to engage in contexts where the user may not actually want model-routing analysis. This can lead to unnecessary collection of preference, cost, or workflow information and increases the chance of the skill interfering with unrelated tasks.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill instructs storage of structured user profiles in memory or conversation context, including strategy, budget, overrides, and upgrade history. Persisting this data without explicit consent or strict minimization creates privacy risk and can leak sensitive commercial preferences or budget constraints across future interactions.

Ssd 3

Medium
Confidence
96% confidence
Finding
The session trace design requires ongoing logging of user intent, routing decisions, quality scores, token estimates, cost, and user feedback for each turn. This creates a detailed behavioral log that can reveal sensitive operational patterns, and the risk is amplified because the skill is framed as a routine advisor rather than a telemetry-heavy monitoring system.

Ssd 3

Medium
Confidence
95% confidence
Finding
The learning registry stores historical user rejection patterns, task types, and adjusted routing behavior across sessions, effectively creating a behavioral profile. This is dangerous because it preserves fine-grained interaction history beyond the immediate task and can expose sensitive business domains, dissatisfaction patterns, or workflow characteristics if accessed by other components.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.