ClawHub

OpenRouter Usage

Security checks across malware telemetry and agentic risk

Overview

This skill appears to only use OpenRouter keys to fetch and print usage and spending information.

Prefer environment variables over credentials.env. If you use credentials.env, keep it out of version control, restrict file permissions, and only provide OPENROUTER_MGMT_KEY when you want model-level activity reporting.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly advises users to store API secrets in a local `credentials.env` file without any guidance on file permissions, exclusion from version control, or secure lifecycle handling. This increases the chance of credential leakage through accidental commits, overly broad filesystem access, backups, logs, or sharing of the skill directory.

Credential Access

High
Category
Privilege Escalation
Content
"OPENROUTER_MGMT_KEY": os.environ.get("OPENROUTER_MGMT_KEY", "")
    }

    # If not in environment, try credentials.env file
    if not creds["OPENROUTER_API_KEY"] or not creds["OPENROUTER_MGMT_KEY"]:
        if os.path.exists(CRED_FILE):
            with open(CRED_FILE) as f:
Confidence
80% confidence
Finding
credentials.env

Credential Access

High
Category
Privilege Escalation
Content
"OPENROUTER_MGMT_KEY": os.environ.get("OPENROUTER_MGMT_KEY", "")
    }

    # If not in environment, try credentials.env file
    if not creds["OPENROUTER_API_KEY"] or not creds["OPENROUTER_MGMT_KEY"]:
        if os.path.exists(CRED_FILE):
            with open(CRED_FILE) as f:
Confidence
80% confidence
Finding
.env

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal