semantic-model-router

Security checks across malware telemetry and agentic risk

Overview

The skill mostly performs local model routing, but it silently saves routed prompts to a local plaintext history file.

Review this before installing if your prompts may include secrets, private code, customer data, or internal plans. The main issue is local retention, not evidence of malware: consider disabling or removing query logging, clearing query_history.json, and pinning dependencies before use in sensitive environments.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (7)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 85% confidence
Finding: The skill advertises only local routing/classification behavior, but static analysis detected file read/write capabilities without any declared permissions. This creates a trust and transparency gap: users may install a seemingly low-risk skill that can access or modify local files, increasing the chance of unintended data exposure or tampering if the underlying scripts handle files unsafely.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The router stores full user prompts to a local JSON history file even though the skill is presented as a routing utility, not a telemetry or retention component. Queries may contain secrets, credentials, personal data, proprietary code, or regulated content, so undisclosed persistence creates a real confidentiality and privacy risk if the file is read by other users, included in backups, or exfiltrated.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The `_log_query` function appends every raw query to disk for later offline analysis, which is prompt retention unrelated to the core act of selecting a model for the current request. This creates a durable data store of sensitive natural-language inputs and expands the attack surface through local disclosure, accidental commits, backups, or later misuse.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: Writing user queries to a local history file without any user-facing warning or consent is a real privacy/security issue because prompts often contain sensitive operational or personal information. In a model-routing skill, users reasonably expect transient processing, so hidden retention makes the behavior more dangerous in context.

Ssd 3

Medium

Confidence: 98% confidence
Finding: The code persistently records raw natural-language queries in plain text JSON for later refinement, creating a straightforward data retention and leakage risk. Because this skill processes arbitrary user prompts, the stored history may include API keys, credentials, internal architecture details, legal/medical data, or source code, making compromise of the history file materially harmful.

Unpinned Dependencies

Low

Category: Supply Chain
Content: sentence-transformers>=2.2.2 numpy>=1.24.0
Confidence: 94% confidence
Finding: sentence-transformers>=2.2.2

Unpinned Dependencies

Low

Category: Supply Chain
Content: sentence-transformers>=2.2.2 numpy>=1.24.0
Confidence: 96% confidence
Finding: numpy>=1.24.0

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal