SpaceRouter
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Other HTTP tools run in the same shell could use the residential proxy unexpectedly, consuming quota and sending request metadata through the proxy provider.
This is disclosed and aligned with a proxy skill, but it can route more traffic than a single intended request if left set in the shell.
Set `HTTP_PROXY` and `HTTPS_PROXY` so all HTTP clients in the shell session use the proxy automatically
Prefer per-request proxy settings such as curl -x when possible, and unset HTTP_PROXY/HTTPS_PROXY after the task.
Anyone who sees the environment variable or proxy URL could potentially use the user's Space Router account or quota.
The required proxy URL embeds an API key credential. This is expected for the service, and the artifacts do not show logging or unrelated use of the key.
SPACE_ROUTER_PROXY_URL=https://sr_live_YOUR_API_KEY@gateway.spacerouter.org
Store the proxy URL securely, avoid pasting it into logs or chats, and rotate the key if it is exposed.
Installing the wrong or compromised package could affect the local environment.
The documentation suggests installing external SDK/CLI packages without pinned versions. This is normal for SDK usage, but users should confirm package provenance.
pip install spacerouter ... npm install @spacenetwork/spacerouter ... pip install spacerouter-cli
Verify the package publisher and version before installing, and use pinned versions in controlled environments.
The proxy provider may observe destination metadata and, for non-HTTPS HTTP traffic, request contents.
The skill intentionally sends web traffic through an external proxy gateway. This is its stated purpose, but it creates an external data boundary.
Route your HTTP requests through residential IP addresses via Space Router's forward proxy.
Do not route sensitive, internal, or authenticated traffic through the proxy unless you are comfortable with the provider boundary and the target site's requirements.