AI Task Router Auto-Route Prompts by Complexity (Local/Cloud)
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a simple in-memory prompt-routing helper, with no evidence of hidden network access, credential use, persistence, or destructive behavior.
This skill looks benign and narrowly scoped. Before installing, check whether your OpenClaw setup will actually dispatch routed prompts to cloud providers such as Sonnet or Opus, and review any custom routing rules so sensitive prompts or expensive tasks are not routed unexpectedly.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Some prompts may be routed to cloud or premium models depending on configuration, which can affect privacy and cost.
The skill is intended to select between local and cloud-capable model tiers. Although the provided code only returns a model name and does not transmit data, an integration using these decisions could send prompt content to external providers.
| Simple | ... | Local (Ollama) | ... | Moderate | ... | Mid-tier (Sonnet) | ... | Complex | ... | Premium (Opus) |
Confirm which models the host agent will actually call, and require explicit confirmation for sensitive or high-cost prompts if needed.
Bad custom rules could cause unexpected local/cloud model choices or disrupt routing.
Custom regex rules can change routing behavior. This is purpose-aligned customization, but unreviewed or overly broad rules could route prompts to the wrong model tier or introduce reliability issues.
if (config.customRules) { ... this.addRule(rule.name, new RegExp(rule.pattern, rule.flags || 'i'), rule.model, rule.reason); }Only load custom rules from trusted configuration, review model targets, and test rules before using them for automatic routing.
It may be harder to verify the publisher or track upstream changes.
The registry metadata does not identify a canonical source or homepage. The included code is small and has no install-time dependencies, so this is a provenance note rather than a security concern.
Source: unknown; Homepage: none
Review the included source before installing and prefer pinned, trusted versions if deploying broadly.