ClawHub
Back to skill

Security audit

Multi-Council Decision Engine

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed OpenRouter-backed decision aid, with privacy-relevant logging and third-party prompt submission that users should understand before use.

Install only if you are comfortable sending decision prompts and optional context to OpenRouter and downstream model providers with your API key. Avoid confidential, regulated, customer-identifying, or secret data unless your provider terms and local policy allow it, and consider disabling or tightening the local prompt-preview log if logs may be backed up, shared, or inspected by others.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Tainted flow: 'req' from os.environ.get (line 219, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
"https://openrouter.ai/api/v1/models",
            headers={"Authorization": f"Bearer {api_key}"},
        )
        with urllib.request.urlopen(req, timeout=10) as r:
            catalog = json.loads(r.read().decode())
        by_id = {m["id"]: m for m in catalog.get("data", [])}
        available = []
Confidence
90% confidence
Finding
with urllib.request.urlopen(req, timeout=10) as r:

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares no permissions, but the metadata and description indicate it requires environment access, network access, and local file writes for API usage and cost logging. This creates a trust and review gap: operators may approve or sandbox the skill based on incomplete declarations while it still accesses secrets and external services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
84% confidence
Finding
The documented purpose says the skill is an 8-council decision board, but the behavior reportedly expands beyond that through extra councils, automatic gate functions, live model discovery, external API use, and local logging. When a skill understates its scope, users may unknowingly permit broader data processing and network/file activity than intended, which increases the risk of data leakage and unsafe deployment decisions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
User prompts and optional context are sent to third-party model APIs, which can expose sensitive business, personal, or regulated data to an external processor if callers are unaware. In a decision-engine skill, users may paste confidential strategy, financial, legal, or customer information, making silent third-party transmission materially risky.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code logs prompt previews to local files, which can capture fragments of confidential user input. Even truncated previews may contain names, credentials, financial details, or strategic plans, and local logs often persist longer and are accessible to other users, backups, or support tooling.

Missing User Warnings

Low
Confidence
77% confidence
Finding
The cost log writes metadata about model usage to disk, including timestamps, model names, and token/character volume. While lower risk than full prompt logging, this can still reveal usage patterns, business activity timing, and potentially sensitive operational context without user awareness.

Env Variable Harvesting

High
Category
Data Exfiltration
Content
"openai package not installed. "
            "Run: pip install openai --break-system-packages"
        )
    api_key = os.environ.get("OPENROUTER_API_KEY")
    if not api_key:
        raise RuntimeError("OPENROUTER_API_KEY not set in environment")
Confidence
70% confidence
Finding
os.environ.get("OPENROUTER_API_KEY

Env Variable Harvesting

High
Category
Data Exfiltration
Content
except Exception:
        pass

    api_key = os.environ.get("OPENROUTER_API_KEY")
    if not api_key:
        return _HEAVY_FALLBACK
    try:
Confidence
70% confidence
Finding
os.environ.get("OPENROUTER_API_KEY

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal