Security audit

Smart Model Router

Security checks across malware telemetry and agentic risk

Overview

This skill is a legitimate model-routing helper, but it can persist credentials, change global OpenClaw model settings, and includes extra local file-inspection tools that are not well explained.

Install only if you want this skill to manage TokenRouter inside your OpenClaw configuration. Review changes to ~/.openclaw/openclaw.json before and after setup, use a limited-scope API key if possible, watch for plaintext key copies in backups, and do not run the included smart_find.py or smart_map.py on sensitive workspaces unless you specifically want broad local file inspection.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (15)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill performs privileged actions—reading local config files, writing configuration, and making network requests—without declaring those capabilities up front. This increases the chance that a user or host system will invoke the skill without realizing it can alter local state and contact external services, which is especially risky because it stores provider settings and syncs models automatically.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The advertised purpose is cost-optimized model routing, but the skill also reads and writes persistent local configuration, manages allow-lists, references workspace memory files, and includes broader file/codebase inspection behavior. This mismatch can mislead users into approving a seemingly harmless routing tool that in practice has configuration-management and local data access powers.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The skill's stated purpose is model routing and cost optimization, but this code also provisions providers and rewrites core OpenClaw configuration, expanding its privileges beyond what a user would reasonably expect. That scope mismatch is dangerous because a routing helper can silently alter persistent agent behavior and trust boundaries, including future model/provider selection.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The planning flow invokes prepare_for_planning(), which fetches remote data, updates provider models, modifies allow lists, and may set the default current model before merely generating a plan. This violates least surprise: a 'plan' action should not persistently change configuration, and the hidden side effects could reroute later agent tasks through different providers or models.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The setup flow accepts a user API key and stores it directly in persistent local configuration, even though credential management is not essential to simple model routing. Persisting secrets in broad configuration files increases exposure to local compromise, accidental disclosure, backup leakage, or reuse by unrelated components that read the same config.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The router does more than select models: it writes a machine-readable swarm execution plan into a workspace file intended for the host agent to consume and act on. That broadens the skill into job orchestration, creating a control channel where task text, prompt templates, or custom routing inputs can influence downstream agent execution beyond the advertised scope.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The prompts define a generic multi-agent workflow for architecture design, code generation, auditing, planning, and content drafting, which materially exceeds the stated purpose of a smart model routing skill. This expands the skill from routing into broad task execution with file-writing side effects, increasing the chance of misuse, prompt injection abuse, or unintended autonomous code/content generation in environments that expose tools.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The task templates instruct agents to read local files and write new files such as SPEC.md, main.py, AUDIT.md, PLAN.md, and RESULT.md, but these capabilities are not justified by an API cost/model routing use case. In a tool-enabled agent runtime, this creates an unnecessary capability for local workspace modification and code generation that could be abused to plant files, overwrite artifacts, or pivot into broader execution workflows.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The implemented behavior is materially different from the declared skill purpose. Instead of routing models or optimizing API costs, this script searches the local filesystem and prints file contents, which creates an unjustified data-access capability that could expose sensitive workspace files. The mismatch between stated purpose and actual capability is especially risky in agent environments because it can hide unexpected file-reading behavior behind an unrelated description.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The function reads and returns the full contents of any matched local file without path restrictions, sensitivity checks, or user confirmation. Combined with fuzzy search over the working tree, this can disclose secrets, credentials, source code, configuration, or private documents unrelated to the stated model-routing function. In this skill context, the capability is more dangerous because arbitrary local file access is not necessary for model selection and is therefore hard to justify as least-privilege behavior.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: This file's behavior materially contradicts the advertised skill purpose: instead of routing model requests, it recursively walks a local directory and parses Python files into a structural map. In an agent-skill context, hidden or unrelated filesystem inspection expands access beyond user expectations and can expose source layout, class/function names, and parsing errors from local codebases, which is dangerous even if the code is not overtly malicious.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The module docstring explicitly describes a codebase summary generator, confirming that the file is unrelated to the declared model-routing skill. This mismatch is a supply-chain and trust issue: users or orchestrators may grant capabilities based on the published description, while the packaged code performs different local-analysis behavior.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill states that model sync will automatically modify the provider's models array and the global allowed-model list before planning. Silent configuration mutation is dangerous because it changes future execution behavior and trust boundaries without a dedicated approval step, potentially enabling additional remote models or routing paths the user did not intend.

Vague Triggers

Low

Confidence: 82% confidence
Finding: The templates accept broad placeholders like '{task_description}' with minimal constraints, allowing the skill to be repurposed for arbitrary code, planning, or content tasks. Combined with tool use and file operations, unclear trigger boundaries make prompt injection and policy bypass more likely because the agent is not strongly limited to routing-related intents.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The skill explicitly instructs the agent to collect the user's real API key and persist it into a local configuration file. Persisting live credentials on disk increases the risk of credential exposure through local compromise, backups, logs, mis-scoped file permissions, or later unintended file access by other tools.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.