ClawHub

Dynamic Model Router

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches a model-routing purpose, but it under-discloses sensitive prompt logging, local OpenClaw config access, network checks, temp-file prompt storage, and broad admin/config controls.

Review before installing if your prompts may contain secrets or proprietary data. Expect local logs/config files, possible provider config reads, network health checks, and prompt-bearing temp files if the OpenClaw invocation integration is used; install only if those behaviors fit your environment and you can control logging and permissions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The exported skill interface exposes configuration mutation and shutdown operations in addition to the advertised routing function. In a skill context, broad management APIs increase attack surface and allow callers to disable the skill, alter routing behavior, or manipulate persistent configuration without a demonstrated need for normal task routing.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The router class includes import/export, backup/restore, and cleanup functions that are unrelated to simple model routing and may touch persistent files or configuration state. If exposed to untrusted callers, these methods can enable unauthorized configuration tampering, rollback to unsafe settings, or file/path abuse depending on ConfigManager behavior.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code logs a preview of the user task content and its length before routing. Tasks sent to an AI router may contain secrets, personal data, proprietary code, or regulated content, so even truncated logging can leak sensitive information into application logs, monitoring systems, or third-party log processors.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code writes full model request contents, including prompts and message history, to a predictable temporary JSON file under /tmp without setting restrictive permissions or guaranteeing secure lifecycle handling. In a multi-user environment, sensitive prompts, secrets, or proprietary data may be exposed through filesystem access, leftover files after crashes, or symlink/race issues in a shared temp directory.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This path also persists the entire request payload to a temporary file before invoking the CLI, creating the same confidentiality risk for prompts and embedded secrets. Because the temp directory is globally configured as /tmp/openclaw-invoker and file creation does not explicitly harden permissions, the skill context makes this more dangerous on shared hosts or agent platforms where other processes may inspect or interfere with temp files.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code performs outbound connectivity checks to provider-controlled URLs during discovery using `fetch()` with no user-facing consent, disclosure, or allowlist enforcement. Because `baseUrl` comes from configuration and can also be inferred, this can trigger unexpected network access and can be abused as SSRF-style probing of internal or sensitive endpoints if an attacker can influence the config.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The logger persists arbitrary context, routing reasoning, configuration changes, error stacks, and other caller-supplied metadata directly to disk with no redaction, allowlist, or sensitivity filtering. In this skill context, those fields can easily contain prompts, task identifiers, model/provider data, secrets, credentials, or other user-derived content, creating a realistic risk of sensitive-data exposure through local log files and console output.

Ssd 3

Medium
Confidence
97% confidence
Finding
Logging a plain-language preview of user-supplied task content can expose sensitive prompts, credentials, internal documents, or source code. In a routing skill, this context makes the issue more dangerous because the component is likely to process arbitrary high-sensitivity inputs from many upstream workflows.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal