ClawHub

Routstr Skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Routstr balance-management skill, but it handles API keys and redeemable Cashu tokens so users should verify the endpoint and inputs before use.

Install only if you intend to manage a Routstr account from this environment. Confirm ~/.openclaw/openclaw.json points to a trusted HTTPS Routstr endpoint, keep the API key protected, verify invoice amounts, and only pass Cashu tokens you are willing to redeem. Avoid sharing command lines, logs, or outputs that may include tokens, invoices, or account details.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill documentation indicates shell and network-capable behavior, but it does not declare corresponding permissions. This weakens user awareness and policy enforcement, because a caller may invoke a skill that can access external services and local execution paths without explicit disclosure.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill claims balance checking, invoice creation, and invoice status checks, but also performs a Cashu-token top-up operation that changes account state and spends value. This mismatch can mislead users and automated reviewers into approving a skill with broader financial authority than its headline description suggests.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The skill states it reads configuration from ~/.openclaw/openclaw.json but does not warn that this likely contains stored API credentials or sensitive account configuration. Users may run the skill without understanding it accesses local secrets, increasing the chance of accidental credential exposure or misuse.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script sends a highly sensitive bearer API key and a user-supplied Cashu token to whatever URL is configured in the local config, without validating that the endpoint uses HTTPS or belongs to an expected trusted host. Because the Cashu token is placed in the query string, it is also more likely to be exposed via logs, proxies, shell history capture, or server access logs, increasing the chance of credential or token leakage and unauthorized fund redemption.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal