ClawHub

Ai Model Router V2

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local/cloud model-routing helper, with privacy caveats but no artifact-backed malicious behavior.

Before installing, confirm you are installing the intended ai-model-router-v2 package despite the ai-model-router naming in the artifact. Use local/primary forcing for private work, do not rely on regex privacy detection to catch every secret, and periodically review or delete ~/.model-router/contexts.json if context tracking is used.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The skill description includes very broad trigger phrases such as "switch model," "use local/cloud model," configuration requests, and mentions of API keys/passwords, which can match ordinary user conversation rather than an explicit request to invoke this skill. That raises the risk of unintended activation, especially because the skill changes routing behavior for privacy-sensitive and complex tasks, potentially altering where user data is sent.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The invocation description is overly broad and includes triggers like general requests to switch models, complex tasks, and mentions of sensitive data, which can cause the skill to activate unexpectedly. In a routing skill that may send prompts to different backends, ambiguous activation increases the chance of unintended model switching and accidental disclosure of user data to a cloud model.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill description says complex tasks may be routed to a cloud model but does not clearly warn users that their prompts could leave the local environment. This creates a real privacy and consent risk, especially because users may provide proprietary, regulated, or personal data while assuming processing remains local unless explicitly told otherwise.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The router records full conversation content to a context store via `record_message()` without any visible consent flow, retention control, or data minimization. Because this component explicitly handles prompts and can detect sensitive data, persisting raw user messages increases privacy risk if secrets, personal data, or regulated content are stored and later exposed through logs, local compromise, backups, or unintended reuse.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This code persists conversation content to a JSON file on disk without any visible consent, notice, retention control, or access protection in this module. Even though content is truncated to 200 characters, it can still include sensitive prompts, secrets, personal data, or internal business information, making local disclosure or unintended reuse a realistic privacy and security risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal