Skill Trust Decision
hpr-solver
Skill declares only LP solving with official Julia/HPR-LP downloads, but the actual implementation contains undeclared LLM API calls to OpenRouter, undeclared WhatsApp notifications to a specific phone number (+85259562906), and hardcoded user paths suggesting targeted deployment.
Most direct threat evidence
01
Skill masquerades as LP solver via SKILL.md with no declared external network calls Entry · SKILL.md
02
Script reads OPENROUTER_API_KEY from environment for LLM authentication reconnaissance · scripts/hpr_hybrid.py
03
Problem data sent to external OpenRouter API for LLM parsing without user consent Escalation · scripts/hpr_hybrid.py
Why this conclusion was reached
2/4 dimensions flagged Block
Declared vs actual capability
4 undeclared or violating capabilities were inferred.
Review
Hidden execution and egress
3 lower-risk artifacts were extracted and still need context.
Block
Attack chain and severe findings
The report includes 4 attack-chain steps and 2 severe findings.
Pass
Dependencies and supply chain hygiene
Dependencies are present but no obvious high-risk issue stands out.
Attack Chain
01
Skill masquerades as LP solver via SKILL.md with no declared external network calls
Entry · SKILL.md:1
02
Script reads OPENROUTER_API_KEY from environment for LLM authentication
reconnaissance · scripts/hpr_hybrid.py:325
03
Problem data sent to external OpenRouter API for LLM parsing without user consent
Escalation · scripts/hpr_hybrid.py:292
04
WhatsApp notifications sent to +85259562906 revealing contact information
Impact · scripts/hpr_hybrid.py:500
What drove the risk score up
Undeclared LLM API calls +15
scripts/hpr_hybrid.py calls OpenRouter API (line 23, 292-334) for LLM parsing - not declared in SKILL.md
Undeclared WhatsApp notifications +15
Sends WhatsApp messages to +85259562906 (lines 500, 509-511) - not declared anywhere
Hardcoded user paths +10
scripts/hpr_hybrid.py hardcodes /home/ljw/ paths; hprlp_solve.sh hardcodes /home/ljw/
os.popen shell execution +5
Line 357 uses os.popen() for Julia execution without sandboxing
Most important evidence
High Doc Mismatch
Undeclared LLM API calls to OpenRouter
SKILL.md claims the skill only uses Julia/HPR-LP solver. In reality, hpr_hybrid.py calls OpenRouter API (https://openrouter.ai/api/v1/chat/completions) using minimax/MiniMax-M2.7 model to parse natural language problems. This sends user problem data to an external LLM service.
scripts/hpr_hybrid.py:23 Declare external LLM API usage in SKILL.md. Specify what data is sent, why it is necessary, and what API keys are required.
High Doc Mismatch
Undeclared WhatsApp notifications
The script sends WhatsApp messages to +85259562906 via 'openclaw message send' command at lines 500 and 509-511. This behavior is completely absent from SKILL.md and reveals a specific contact number.
scripts/hpr_hybrid.py:500 Remove undeclared external communication channels. If notifications are required, declare them explicitly in SKILL.md with user consent.
Medium Sensitive Access
Hardcoded user-specific paths
The scripts contain hardcoded paths referencing a specific user '/home/ljw/' in both hpr_hybrid.py (lines 488-489) and hprlp_solve.sh (lines 17-18). This suggests the skill was designed for a specific user's environment rather than general deployment.
scripts/hpr_hybrid.py:488 Use environment variables or configurable paths instead of hardcoded user directories.
Medium Credential Theft
Environment variable API key access
The script reads OPENROUTER_API_KEY from environment variables (line 325) to authenticate with the external LLM API. While reading API keys for legitimate use is not inherently malicious, combined with the undeclared external communication, this raises concerns.
scripts/hpr_hybrid.py:325 Ensure API key usage is declared and the key is not exfiltrated or logged.
Low RCE
os.popen shell execution without sandbox
The run_julia_solve function (line 357) uses os.popen() to execute Julia solver commands. While this is documented as part of the LP solving workflow, the model code is not sandboxed.
scripts/hpr_hybrid.py:357 Consider using subprocess.run() with shell=False for safer execution, and validate/sanitize inputs.
Declared capability vs actual capability
Filesystem Block
Declared NONE
→ Inferred WRITE
scripts/hpr_hybrid.py:357 writes temp .jl files to /tmp/ Network Block
Declared NONE
→ Inferred WRITE
scripts/hpr_hybrid.py:23,292-334 - undeclared OpenRouter API calls Shell Block
Declared NONE
→ Inferred WRITE
scripts/hpr_hybrid.py:500,509 - os.system() for WhatsApp notifications Environment Block
Declared NONE
→ Inferred READ
scripts/hpr_hybrid.py:325 reads OPENROUTER_API_KEY from env Suspicious artifacts and egress
Medium External URL
https://julialang.org/downloads/ README.md:17
Medium External URL
https://openrouter.ai/api/v1/chat/completions scripts/hpr_hybrid.py:23
Medium External URL
https://openclaw.ai scripts/hpr_hybrid.py:349
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| urllib | stdlib | Python standard library | No | Standard library only |
File composition
6 files · 957 lines
Python 1 files · 570 linesMarkdown 4 files · 365 linesShell 1 files · 22 lines
Files of concern · 2
scripts/hpr_hybrid.py Undeclared LLM API calls to OpenRouter · Undeclared WhatsApp notifications · Hardcoded user-specific paths · Environment variable API key access · os.popen shell execution without sandbox · https://openrouter.ai/api/v1/chat/completions · https://openclaw.ai
README.md https://julialang.org/downloads/
Other files · PROBLEM_LIBRARY.md · SKILL.md · install-manual.md · hprlp_solve.sh
Security positives
SKILL.md clearly documents the Julia and HPR-LP installation process from official sources
The core LP solving functionality matches the documented behavior for MPS file handling
No base64-encoded payloads or obfuscation techniques observed
No credential harvesting or data exfiltration to unknown IPs
The LLM API calls are for legitimate problem parsing, not malicious