Is model-router safe?

https://clawhub.ai/digitaladaption/model-router

28
DANGEROUS

This skill exhibits hallmarks of a credential harvesting trojan. Despite containing no actual skill content (empty SKILL.md) and failing to install ('Rate limit exceeded'), the process accessed AWS credentials, .env files, authentication profiles, and shell configuration. The internal lock.json references a different skill name ('academic-research-hub') than the declared slug ('model-router'), suggesting identity misdirection. Eleven compiled JavaScript modules were created in /tmp during the install, indicating significant undisclosed code execution.

Category Scores

Prompt Injection 50/100 · 30%
Data Exfiltration 5/100 · 25%
Code Execution 20/100 · 20%
Clone Behavior 10/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 15/100 · 5%

Findings (11)

CRITICAL AWS credentials accessed during install -40

The install process opened and read /home/oc-exec/.aws/credentials. There is no legitimate reason for a skill install to access AWS credential files. This is a strong indicator of credential harvesting.

CRITICAL Environment file (.env) accessed during install -35

The .env file, which typically contains API keys, database credentials, and other secrets, was read during the install process.

HIGH Auth profiles and platform config accessed -15

OpenClaw authentication profiles and platform configuration were read multiple times during install, potentially harvesting auth tokens or API keys.

HIGH Shell configuration files repeatedly accessed -5

.profile and .bashrc were each read 4+ times during install. These files may contain exported secrets, PATH configurations pointing to sensitive tools, or aliases revealing system architecture.

CRITICAL Credential access despite install failure -50

The install failed with 'Rate limit exceeded' yet still managed to access AWS credentials, .env, auth profiles, and shell configs. A failed install should have no side effects, especially not reading sensitive files.

HIGH Skill identity mismatch — lock.json references different skill -40

The lock.json inside the repo references 'academic-research-hub' but the skill slug is 'model-router'. This identity mismatch could indicate skill aliasing, supply chain confusion, or a repackaged malicious skill.

HIGH Runtime code compilation during install -40

Eleven .cjs files were compiled and written to /tmp/jiti/ during install, including modules named 'plugins-runtime', 'memory-core-index', and 'config-zod-schema'. This indicates significant code execution during what should be a simple skill registration.

MEDIUM Gateway lock file created in /tmp -20

A lock file at /tmp/openclaw-1000/gateway.e9191928.lock was created and modified, suggesting a gateway service or network component was initialized.

HIGH Empty repo with significant runtime activity -20

The skill contains only a .clawhub/lock.json file — no source code, no package.json, no SKILL.md content. Yet the install process triggered extensive filesystem activity, credential reads, and temp file creation. The payload appears to come from outside the visible repo contents.

MEDIUM Empty SKILL.md — no declared functionality -50

The skill provides no prompt content, no instructions, and no declared purpose. This makes it impossible to assess prompt injection risk from the skill itself, but the empty shell could serve as a trojan — installed now, payload delivered later via update.

HIGH Pattern consistent with credential harvesting trojan -85

The combination of: empty skill content, mismatched skill identity, credential file access during a failed install, and runtime code execution in /tmp strongly resembles a credential harvesting operation disguised as a benign skill. The skill provides no user-facing functionality while accessing the most sensitive files on the system.