Back to plugin

Security audit

ZeroGPU Router

Security checks across malware telemetry and agentic risk

Overview

This is a coherent ZeroGPU/OpenClaw routing plugin with disclosed CLI installation, external model use, and credential setup; the main caveat is outdated OpenClaw version compatibility reported by the scanner.

Install only with a patched OpenClaw host and prefer a release whose package metadata raises its minimum supported OpenClaw version. Before using PII, credential, customer, or regulated data with these skills, confirm that sending the text to ZeroGPU through the CLI is acceptable for your organization.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Known Vulnerable Dependency: openclaw==2026.4.0 — 10 advisory(ies): CVE-2026-53846 (OpenClaw: Workspace .env npm_execpath could influence bundled runtime dependency); CVE-2026-41913 (OpenClaw: Concurrent async auth attempts can bypass the intended shared-secret r); CVE-2026-53830 (OpenClaw: Slack and Zalo webhook secrets could remain active after secrets.reloa) +7 more

High
Category
Supply Chain
Confidence
97% confidence
Finding
openclaw==2026.4.0

Known Vulnerable Dependency: openclaw==2026.4.27 — 10 advisory(ies): CVE-2026-53846 (OpenClaw: Workspace .env npm_execpath could influence bundled runtime dependency); CVE-2026-53812 (OpenClaw's browser act interactions could bypass private-network navigation chec); CVE-2026-53816 (OpenClaw: Paired nodes could forge exec lifecycle events without system.run prov) +7 more

High
Category
Supply Chain
Confidence
98% confidence
Finding
openclaw==2026.4.27

VirusTotal

61/61 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.