Smart Router
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears to do what it advertises, but it uses your provider API key and can send prompts, images, code, or generation requests to a configured external AI service.
Install only if you are comfortable routing selected requests through a third-party OpenAI-compatible provider. Configure a trusted HTTPS base URL, use a scoped API key, monitor cost, and avoid sending confidential prompts, images, or code unless that provider is approved for the data.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Normal chat, code, image, audio, or video requests may result in external model calls, which can use API quota or incur provider costs.
The skill gives the agent a Bash-backed route for automatic model selection. This is central to the router purpose, but it can trigger external API calls for broad user requests.
allowed-tools: Bash(smart-router:*) ... When no `@alias` is specified, classify the task automatically
Review the default models and provider limits before use, and consider asking for confirmation before expensive or sensitive generation tasks.
The configured API key can authorize billable model requests and access to the chosen provider account.
The skill requires a provider API key and base URL. This is expected for an external model router, and the provided code does not show hardcoded keys or credential logging.
export SMART_ROUTER_BASE_URL="https://your-api-provider.com/v1" export SMART_ROUTER_API_KEY="your-api-key"
Use a scoped API key, prefer a trusted HTTPS provider, monitor usage, and rotate the key if it may have been exposed.
Prompts, code snippets, image URLs, and generated-content requests may be processed and retained according to the configured provider's policies.
The script sends the constructed prompt/message body to a user-configured external API endpoint. That is purpose-aligned, but it creates an external data boundary.
response=$(curl -sS --max-time 120 "$BASE_URL/chat/completions" \
-H "Authorization: Bearer $API_KEY" \
-H "Content-Type: application/json" \
-d "$body")Do not route confidential material unless the provider and retention policy are acceptable for that data.
Installation metadata may not warn users that credentials, curl, and jq are needed for the skill to work.
The registry metadata under-declares setup requirements compared with the documented API key/base URL and the scripts' use of shell tooling. The behavior is disclosed in README/SKILL and source, but install-time visibility is incomplete.
Required binaries (all must exist): none ... Required env vars: none ... Primary credential: none
Declare SMART_ROUTER_BASE_URL, SMART_ROUTER_API_KEY, curl, and jq in the skill metadata so users see requirements before installing.