recursive-router
Warn
Audited by Gen Agent Trust Hub on Apr 21, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill frequently executes local scripts and binaries to manage the routing lifecycle. Evidence includes calls to Python scripts (e.g.,
recursive-router-init.py,recursive-router-probe.py) and PowerShell scripts (e.g.,recursive-router-probe.ps1) located in the./scripts/directory. - [COMMAND_EXECUTION]: It directly invokes external CLI tools such as
codex,kimi, andopencodewith parameters to perform environment probing and task invocation (e.g.,opencode-cli.exe run,kimi --print). - [CREDENTIALS_UNSAFE]: The skill is designed to read potentially sensitive configuration files from the user's home directory to discover model aliases and authentication states. Specifically, it accesses
~/.codex/models_cache.json,~/.kimi/config.toml, and usesopencode modelswhich typically relies on stored credentials. - [DATA_EXFILTRATION]: By its core design, the skill transmits repository context, code snippets, and instructions (context bundles) to external model providers. This constitutes a controlled but significant data egress point to third-party services.
- [PROMPT_INJECTION]: The skill acts as a surface for indirect prompt injection by processing output from external, untrusted models. Although the instructions mandate that the agent verify all output against the real repository state, the vulnerability exists if the verification logic is bypassed or if the external model provides malicious instructions that influence the main orchestrator's behavior.
Audit Metadata