ClawHub

Ollama Model Router

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed model-routing helper with some privacy caveats, but I found no hidden execution, credential theft, exfiltration, or destructive behavior.

Install only if you are comfortable with model-routing decisions that may choose cloud models. Prefer local mode for confidential code, personal data, credentials, or proprietary material, and avoid passing secrets because the helper prints the task text to the terminal.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill includes executable shell examples and an implementation script that invokes local commands and network access, but it does not declare corresponding permissions or capabilities. In an agent environment, this can lead to undeclared command execution and unexpected access to local services, reducing auditability and user consent.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented purpose says the skill routes to cloud or local models by task type, but the actual behavior depends on a local Ollama endpoint, a local registry file, and only partially checks availability. This mismatch can cause users or higher-level agents to trust the skill with sensitive prompts under false assumptions about where data goes and how routing decisions are made.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The keyword-based classifier uses broad, overlapping terms such as 'write', 'help', 'what', and 'design', which can misclassify ordinary prompts. In a model-routing context, misclassification can send sensitive or safety-critical tasks to the wrong model class, including cloud-hosted models, creating privacy and reliability risks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly discusses routing to cloud-hosted models but does not warn that user prompts may leave the local environment. In an agent setting, this omission can cause inadvertent disclosure of secrets, proprietary code, or personal data to third-party services when users believe routing is only a performance optimization.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script prints the full task description to stdout, which can expose sensitive prompts, code, credentials, or business data in terminal scrollback, logs, shell history wrappers, CI output, or other captured stdout sinks. In a model-routing skill, users may pass exactly the kind of sensitive task text they intend to keep private, so this disclosure is a real confidentiality risk even though it is not code execution.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal