Security audit

Query Router

Security checks across malware telemetry and agentic risk

Overview

This skill does not look intentionally harmful, but it overstates model-switching and rollback safety while also logging query snippets locally.

Install only if you are comfortable reviewing and using it as a recommendation/logging helper rather than trusting it to perform verified model switching. Avoid routing secrets or private code through it unless you are comfortable with local audit logs storing query snippets and with recommended routes using cloud-hosted models.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill advertises and appears to rely on shell execution, file access, logging, and model-check operations, but it declares no explicit permissions or constraints. This creates a transparency and policy-enforcement gap: an invoking agent or reviewer cannot accurately assess or sandbox the skill's real capabilities, increasing the chance of unintended file, shell, or network actions.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The skill metadata advertises safety features such as lock protection, verify-after-switch, rollback, and audit logs, but this file only computes a routing recommendation and emits it. In a routing component, overstating safety guarantees is dangerous because downstream systems or users may rely on controls that do not actually exist, leading to unsafe model switching or reduced auditability.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The function claims to perform routing, verification, and rollback, but never executes any model-switch action before reporting success or attempting verification. This creates a dangerous integrity gap: downstream systems or operators may trust that a safer or more capable model is active when it is not, which can bypass policy expectations and produce unsafe handling of sensitive tasks.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The code documents rollback as a safety feature, but on verification failure it only writes an audit entry and returns a message saying it rolled back. This is misleading and can leave the system in an unknown or incorrect state while falsely assuring users that recovery occurred, undermining safety controls and incident response.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The skill description includes very broad activation phrases such as 'classify this', 'which model should I use', and 'query type', which overlap with ordinary user language and can cause accidental invocation. In a routing skill, unintended activation is risky because it may trigger model switching, logging, or downstream tool behavior without the user explicitly intending to use this skill.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The router is configured to send many query types to cloud-hosted models, but the script provides no disclosure or consent mechanism indicating that user prompts may leave the local environment. In a query-routing skill, this is materially risky because the whole purpose is to forward user content, which may include sensitive code, data, or attachments.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The audit logger persists the first 100 characters of every user query to disk without notice, consent, minimization, or access controls. In a routing skill, queries may contain credentials, proprietary code, internal prompts, or personal data, so this creates unnecessary data exposure and retention risk.

Tool Parameter Abuse

High

Category: Tool Misuse
Content: python3 skills/query-router/scripts/router.py --check # list available models python3 skills/query-router/scripts/router.py --audit # show recent routing log python3 skills/query-router/scripts/router.py --no-lock # disable lock protection python3 skills/query-router/scripts/router.py --dry-run --no-verify # preview without verify ``` ### Library usage
Confidence: 90% confidence
Finding: --no-verify

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.