Arc Free Worker Dispatch 1.1.0
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill mostly delegates prompts to OpenRouter as advertised, but some paths can bypass its free-model and file-output safeguards.
Review this skill before installing. If you use it, send only non-sensitive prompts, use a limited OpenRouter key, avoid untrusted batch JSON files, manually restrict models to free IDs, and choose safe output paths until the batch/model validation gaps are fixed.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A batch file could make the agent use paid OpenRouter models and spend account credits even though the skill is advertised as using free models.
The batch path accepts a model value from the task JSON and sends it to OpenRouter without the _validate_model allowlist used by the task command. This conflicts with the skill's free-model/cost-saving purpose.
model = task.get("model") or MODEL_MAP.get(task_type, "openrouter/free") ... result = call_openrouter(prompt, model)Apply the same free-model allowlist to batch and status commands, reject non-free model IDs by default, and require explicit user confirmation for any paid model.
If an agent or user supplies a bad output path, batch results could overwrite important local files that the current user can write.
Batch output writes directly to the requested path without calling _validate_output_path, unlike the single-task output path.
if args.output:
with open(args.output, "w") as f:
json.dump(results, f, indent=2)Validate batch output paths the same way as task outputs, avoid overwriting existing files by default, and keep outputs in a clearly scoped working directory.
The skill can use the configured OpenRouter account and its associated quota or billing settings.
The skill uses the user's OpenRouter API key to authorize provider calls. This is expected for the stated integration, but it is still delegated account authority.
OPENROUTER_API_KEY = os.environ.get("OPENROUTER_API_KEY", "") ... "Authorization": f"Bearer {OPENROUTER_API_KEY}"Use a scoped or low-limit OpenRouter key if possible, monitor usage, and do not run untrusted batch files until model validation is fixed.
Any delegated prompt content may leave the local environment and be processed by OpenRouter or the selected model provider.
User prompts, and optional system prompts, are sent to OpenRouter-hosted models. This is disclosed and purpose-aligned, but it creates an external data boundary.
OPENROUTER_URL = "https://openrouter.ai/api/v1/chat/completions" ... messages.append({"role": "user", "content": prompt})Do not include secrets, private documents, customer data, or unreleased code in prompts unless you are comfortable sending them to OpenRouter under its terms.
It may be harder to confirm which publisher or version of the skill you are installing.
The embedded metadata does not match the registry metadata shown for owner ID, slug, and version, while the source is listed as unknown. This is a provenance/versioning inconsistency rather than proof of malicious behavior.
"ownerId": "kn785t314021w28f56kwc6j6398170th", "slug": "arc-free-worker-dispatch", "version": "1.1.0"
Verify the publisher and intended version before installing, and prefer a package whose registry metadata and embedded metadata agree.