Ai Provider Bridge
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Prompt-injection indicators were detected in the submitted artifacts (system-prompt-override); human review is required before treating this skill as clean.
This appears safe for its stated purpose if you intend to bridge to AI providers. Before installing, decide which providers you trust, configure only the needed API keys, avoid sending secrets or private data to cloud models, and monitor API usage. Use local Ollama when you need prompts to stay on your machine. ClawScan detected prompt-injection indicators (system-prompt-override), so this skill requires review even though the model response was benign.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If configured, the skill can make requests against the user's AI-provider accounts and may incur provider costs.
The skill uses provider API keys for account-authorized model calls. This is expected for the bridge's purpose, but users should recognize these keys can authorize usage and charges.
ANTHROPIC_API_KEY: "Required for Anthropic/Claude models" ... OPENAI_API_KEY ... GOOGLE_API_KEY ... XAI_API_KEY ... MISTRAL_API_KEY
Configure only the providers you intend to use, use restricted keys where available, and monitor billing/usage limits.
Any secrets, private text, or business data included in prompts may be sent to the selected external AI provider.
The code sends prompts, system prompts, and conversation history to external model-provider APIs when a cloud model is selected. This is purpose-aligned and disclosed, but it is a sensitive data boundary.
messages: [ ...(this.systemPrompt ? [{ role: 'system', content: this.systemPrompt }] : []), ...history ] ... this._httpsRequest('api.openai.com', '/v1/chat/completions'Avoid sending sensitive data unless the provider and account terms are acceptable; use local Ollama for prompts that should remain local.
Users have less independent context for verifying the publisher or tracking upstream changes.
The registry metadata does not provide a source repository or homepage for independent provenance review. The visible artifacts do not show a risky install mechanism, so this is a provenance note rather than a concern.
Source: unknown; Homepage: none
Install only if you trust the publisher and review the packaged source before using real API keys.