acp-router

Security checks across malware telemetry and agentic risk

Overview

This routing skill has a legitimate purpose, but it can make local software and configuration changes before clearly asking the user.

Install only if you want OpenClaw to route work into ACP coding harnesses. Before using it, require confirmation for any npm install, gateway restart, or change to ~/.acpx/config.json, and avoid sending secrets into persistent harness sessions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill goes beyond routing and instructs the agent to install software, repair local artifacts, and restart services automatically. Those actions modify the local environment and execution surface without a clear, explicit user-consent boundary, which can lead to unauthorized system changes or supply-chain exposure through package installation.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The skill authorizes changing or removing user-specific configuration in ~/.acpx/config.json to restore defaults. Modifying a user's home-directory config is a sensitive state change outside the stated routing purpose and could disrupt custom security settings, alter trusted agent mappings, or break existing workflows.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger conditions are broad enough to activate on generic requests about external coding tools or continuing prior work. Overbroad activation increases the chance that the skill will run in contexts where shell execution, session spawning, or repair behaviors were not intended, amplifying the impact of the more dangerous instructions later in the file.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill directs automatic installation, repair, and gateway restart behavior without requiring a user-facing warning or explicit consent. Because these are privileged operational changes, executing them implicitly can surprise users, disrupt active work, and introduce new software into the environment without adequate review.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The direct acpx path instructs the agent to run shell commands for session creation, prompting, canceling, and closing without an explicit warning that command execution will occur. In a skill that may trigger from plain-language requests, silent shell execution raises the risk of unintended command invocation and makes the trust boundary unclear to the user.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal