openrouter
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- Indirect Prompt Injection (HIGH): The skill explicitly instructs agents to use browser automation tools to scrape rankings and provider metrics from
openrouter.ai. This content is externally controlled and ingested directly into the agent's context to influence decision-making and execution. - Ingestion points:
https://openrouter.ai/rankingsandhttps://openrouter.ai/<model-slug>/providersaccessed via browser automation. - Boundary markers: Absent. There are no instructions to the agent to treat scraped content as untrusted or to ignore embedded instructions.
- Capability inventory: The skill executes shell commands via
scripts/call_openrouter.shand performs authenticated API calls. - Sanitization: Absent. The instructions suggest direct extraction of metrics and rankings from rendered pages.
- Command Execution (MEDIUM): The core functionality depends on
scripts/call_openrouter.sh. This file was not provided for analysis, preventing verification of how it handles shell arguments or environment variables. Malicious modification of this script could lead to local command injection. - External Downloads (LOW): The skill performs network operations to
openrouter.ai(models list and API endpoints). While these are required for the skill to function, the domain is not in the predefined trust scope, and the skill usescurlto pipe this external data into local files.
Recommendations
- AI detected serious security threats
Audit Metadata