iblai-router
Fail
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The installation script
scripts/install.shautomatically attempts to discover and extract an Anthropic API key from the local file~/.openclaw/agents/main/agent/auth-profiles.json. This key is then stored in a systemd service environment variable. - [DATA_EXFILTRATION]: The skill reads from a sensitive file path
~/.openclaw/agents/main/agent/auth-profiles.jsonwhich contains agent authentication data. - [COMMAND_EXECUTION]: The installer uses
sudoto create a new systemd service file at/etc/systemd/system/iblai-router.serviceand executessystemctlcommands to enable and start it, granting the skill persistence and elevated execution context. - [REMOTE_CODE_EXECUTION]: The
README.mdfile suggests an insecure command pattern for users:curl -s http://127.0.0.1:8402/stats | python3. Piping output from a network request directly into a Python interpreter is a dangerous practice that can be exploited if the endpoint is compromised. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it analyzes the content of user messages to determine routing logic in
server.js. - Ingestion points:
server.jsingests message content from the request body forwarded by OpenClaw. - Boundary markers: No delimiters or safety instructions are used to separate user data from the classification logic.
- Capability inventory: The skill controls which LLM model processes a request and proxies sensitive API payloads.
- Sanitization: No sanitization or filtering is performed on the text used for keyword-based scoring.
Recommendations
- HIGH: Downloads and executes remote code from: http://127.0.0.1:8402/stats - DO NOT USE without thorough review
Audit Metadata