openrouter-skill
Pass
Audited by Gen Agent Trust Hub on Mar 22, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill provides integration guides for well-known LLM services and follows security best practices for production deployments.
- [SAFE]: Secrets management consistently uses environment variables (e.g., OPENROUTER_API_KEY, LANGFUSE_SECRET_KEY) instead of hardcoding credentials, preventing accidental exposure of sensitive API keys.
- [SAFE]: The calculator tool implementation specifically avoids unsafe evaluation by using the Python
astmodule to safely parse and evaluate mathematical expressions against a strict whitelist of allowed operators, preventing remote code execution (RCE) vulnerabilities. - [SAFE]: Network operations are directed to well-known and legitimate API endpoints, such as OpenRouter and Langfuse, for their intended purposes of LLM orchestration and observability.
- [SAFE]: File system access is restricted to local caching of model responses and temporary processing of document images for OCR, which is standard and expected behavior for the intended functionality.
Audit Metadata