Skip to main content

acp-router

Route plain-language requests for Pi, Claude Code, Codex, OpenCode, Gemini CLI, or ACP harness work into either OpenClaw ACP runtime sessions or direct acpx-dri

25/100

Security score

The acp-router skill was audited on Mar 3, 2026 and we found 9 security issues across 2 threat categories, including 3 high-severity. Review the findings below before installing.

Categories Tested

Security Issues

high line 98

Template literal with variable interpolation in command context

SourceSKILL.md
98- verify `${ACPX_CMD} --version`
high line 137

Template literal with variable interpolation in command context

SourceSKILL.md
1371. Use `exec` commands that call `${ACPX_CMD}`.
medium line 155

Template literal with variable interpolation in command context

SourceSKILL.md
155```bash
medium line 164

Template literal with variable interpolation in command context

SourceSKILL.md
164```bash
medium line 170

Template literal with variable interpolation in command context

SourceSKILL.md
170```bash
medium line 176

Template literal with variable interpolation in command context

SourceSKILL.md
176```bash
high line 214

Template literal with variable interpolation in command context

SourceSKILL.md
214- `NO_SESSION`: run `${ACPX_CMD} <agent> sessions new --name <sessionName>` then retry prompt.
medium line 200

Access to hidden dotfiles in home directory

SourceSKILL.md
200If `~/.acpx/config.json` overrides `agents`, those overrides replace defaults.
medium line 211

Access to hidden dotfiles in home directory

SourceSKILL.md
211- for thread-spawn ACP requests, first restore built-in defaults by removing broken `~/.acpx/config.json` agent overrides
Scanned on Mar 3, 2026
View Security Dashboard