ClawHub

Smart Router for Ollama

Security checks across malware telemetry and agentic risk

Overview

This router mostly does what it claims, but it under-discloses prompt persistence and optional web-search behavior that can send full user queries outside the Ollama routing path.

Review before installing. Configure a trusted cloud Ollama endpoint or force local-only routing, disable search unless you explicitly want web lookups, and avoid entering secrets because prompts may be logged locally, stored in SQLite conversation history, sent to a remote Ollama server, or submitted to a SearXNG endpoint for search queries.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (16)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The code initializes a persistent SQLite database for conversation storage, enabling retention of user interaction data beyond transient routing needs. In the context of a routing skill whose description focuses on model selection and cost-efficient delegation, silently adding persistent memory broadens data handling in a way users may not expect and increases privacy risk if sensitive prompts are stored locally.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
This code stores raw user messages together with classification and routing metadata for every turn, creating a durable record of potentially sensitive conversation content. Because the skill is presented as a smart router rather than a memory or logging component, this undisclosed persistence materially increases the chance of privacy violations, unintended secondary use, or exposure through local compromise.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The router silently performs web-search augmentation and injects fetched external content into the model prompt, even though the stated purpose is only local/cloud model routing. This creates an undeclared data egress path and changes trust boundaries by sending user queries to external search infrastructure without clear consent.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The added web-search capability is broader than necessary for an Ollama router and materially alters the skill's behavior from model selection to retrieval-augmented answering. In a routing skill context, hidden retrieval is more dangerous because users may reasonably expect their prompt to stay within local/cloud Ollama endpoints rather than being shared with another external service.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The file introduces outbound web-search capability even though the skill is described as local/cloud Ollama task routing. That creates an unexpected networked data flow and expands the trust boundary, which can cause privacy, compliance, or policy violations if users or operators assume routing only occurs between approved model backends.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The script persistently writes detailed hardware fingerprinting data to `config/system_profile.json`, including RAM, GPU name, VRAM, CPU core count, and model recommendations. For a routing helper, persistent collection is broader than necessary and creates a local privacy and information-disclosure artifact that other components or users on the system may later read.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The invocation guidance is extremely broad (e.g. use for 'any request' balancing latency vs capability), which can cause the skill to be selected for many ordinary prompts without the user realizing routing logic or remote processing may occur. In context, that broad trigger surface is more dangerous because the skill may contact cloud endpoints and persist telemetry, making accidental over-invocation a privacy and policy risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The markdown describes cloud routing but does not give a prominent, plain-language warning that user requests may be transmitted to a remote/cloud Ollama instance. This omission is significant because task content may include sensitive data, and users may reasonably assume 'Ollama' means local/private processing unless remote transfer is clearly disclosed.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The router is explicitly designed to send tasks to either local or cloud Ollama endpoints, and this interface exposes a simple route() API without any visible user-consent gate, privacy notice, or control indicating when prompts or conversation-linked context may leave the local system. In a routing skill, user inputs may contain sensitive data, so silent transmission to remote services creates a real confidentiality risk, especially when conversation context can influence routing across multiple turns.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Persisting user messages to local SQLite without any warning or consent mechanism is a privacy and transparency failure, especially because users may enter secrets, credentials, or regulated data into prompts. Even though the storage is local, compromise of the host, backups, or shared environments could expose the stored conversation contents.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code logs user task content, routing decisions, model names, and conversation identifiers to a file without any visible notice or consent flow. Prompts often contain sensitive data, so silent persistence increases privacy risk, insider exposure, and forensic recoverability even when the user expected ephemeral processing.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The router may send the user's query to a search subsystem and merge returned content into the prompt without explicit warning. This is dangerous because it can expose sensitive user input to third-party services and introduces untrusted external content into downstream model behavior, increasing both privacy and prompt-injection risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code sends the full user task directly to an external SearXNG endpoint, defaulting to a public instance, without a clear consent or disclosure mechanism. If prompts contain secrets, internal data, or personal information, this leaks sensitive content off-box to an external service and may violate privacy expectations for a 'smart-router' skill.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
`get_search_context()` performs a remote search using the full task text and silently returns the results as context, with no user-visible indication at this call site that network transmission occurred. This hidden exfiltration path is especially risky because it may be reused by other components that assume they are only building local prompt context.

Unpinned Dependencies

Low
Category
Supply Chain
Content
pyyaml>=6.0
requests>=2.31.0
Confidence
94% confidence
Finding
pyyaml>=6.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
pyyaml>=6.0
requests>=2.31.0
Confidence
94% confidence
Finding
requests>=2.31.0

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal