Skill Trust Decision

sage-router

Name: sage-router Trust Review Report
Item: sage-router
Rating: 62
Author: ClawSafe

AI模型路由代理服务，代码功能与声明基本一致，存在未声明的systemctl服务管理和Node.js子进程调用，属中等权限操作但无明确恶意行为。

Install decision first Source: ClawHub Scanned: Apr 21, 2026

Files 5

Artifacts 2

Violations 2

Findings 3

Most direct threat evidence

Why this conclusion was reached

1/4 dimensions flagged

Block

Declared vs actual capability

2 undeclared or violating capabilities were inferred.

Review

Hidden execution and egress

2 lower-risk artifacts were extracted and still need context.

Pass

Attack chain and severe findings

There is no explicit malicious chain in the report.

Review

Dependencies and supply chain hygiene

1 dependency or supply-chain issues need attention.

What drove the risk score up

systemctl未在声明中 +18

SKILL.md未声明但代码通过subprocess调用systemctl --user start/stop管理服务

Node.js子进程未声明 +12

通过subprocess.run(['node', ...])调用外部JS脚本，声明中无shell执行

文件系统写入未声明 +8

写入~/.cache/sage-router/latency-stats.json无显式声明filesystem:WRITE

Most important evidence

Medium Priv Escalation

systemctl服务管理未在声明中

代码通过subprocess调用systemctl --user start/stop来管理Dario服务（Anthropic兼容代理），这是sudo级别的系统服务操作，但SKILL.md env声明中未提及此能力。

router.py:27

在SKILL.md env或文档中显式声明需要systemctl --user权限管理Dario服务

Low Priv Escalation

Node.js子进程调用未声明

代码通过subprocess.run(['node', OPENCLAW_GATEWAY_HELPER])调用openclaw_gateway_agent.mjs脚本执行外部OpenClaw SDK调用，这是间接的shell执行，但SKILL.md未声明。

router.py:592

补充声明依赖Node.js运行时和openclaw npm包

Low Doc Mismatch

文件系统写入权限声明缺失

代码写入~/.cache/sage-router/latency-stats.json进行延迟统计持久化，这是filesystem:WRITE级别操作，但SKILL.md的env声明中未覆盖。

router.py:49

在SKILL.md中声明需要写入缓存目录的权限

Declared capability vs actual capability

Filesystem Pass

Declared NONE

→

Inferred READ

router.py:13 读取~/.openclaw/openclaw.json

Filesystem Pass

Declared NONE

→

Inferred WRITE

router.py:49-54 写入~/.cache/sage-router/latency-stats.json

Network Pass

Declared NONE

→

Inferred READ

router.py 多处urllib请求到配置的AI providers

Shell Block

Declared NONE

→

Inferred WRITE

router.py:25-42 systemctl调用

Shell Block

Declared NONE

→

Inferred WRITE

router.py:592 node调用openclaw_gateway_agent.mjs

Suspicious artifacts and egress

Medium External URL

http://127.0.0.1:3456

router.py:27

Medium External URL

http://127.0.0.1:11434

router.py:592

Dependencies and supply chain

Package	Version	Source	Known vuln	Notes
openclaw	`unknown`	npm global	No	通过Node.js加载openclaw SDK，无版本锁定

File composition

5 files · 2398 lines

Python 1 files · 2152 linesMarkdown 2 files · 134 linesJavaScript 1 files · 102 linesJSON 1 files · 10 lines

Files of concern · 1

router.py Python · 2152 lines

systemctl服务管理未在声明中 · Node.js子进程调用未声明 · 文件系统写入权限声明缺失 · http://127.0.0.1:3456 · http://127.0.0.1:11434

Other files · SKILL.md · openclaw_gateway_agent.mjs · BRANCH_PROTECTION.md · _meta.json

Security positives

纯路由代理功能，无凭证收割或敏感数据外泄

所有网络请求目标均为配置的合法AI providers（localhost或openclaw.json）

无base64/eval/反分析混淆代码

无后门植入或持久化机制

OpenClaw gateway连接为本地ws://127.0.0.1:18789（预扫描IOC为med风险）

代码结构清晰，注释完整，路由逻辑可审计