ClawHub

UAPI AI翻译配置 接口

Security checks across malware telemetry and agentic risk

Overview

This is a small read-only UAPI helper for listing AI translation language options, with minor over-broad trigger wording but no evidence of harmful behavior.

Install this only if you want your agent to query UAPI for supported AI translation languages/configuration. Be aware it may contact uapis.cn automatically when implicitly invoked, and only provide a UAPI key if you trust that service and the task actually needs it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger keyword "languages" is overly generic and can match many unrelated user requests, causing this skill to be selected when the user did not intend to call the UAPI translation-language endpoint. In an agent environment, incorrect skill routing can lead to unintended external API calls, confused task execution, or leakage of user context to the wrong integration.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Keywords like "AI翻译" and "ai translation" are broader than the actual capability of this skill, which only retrieves supported languages rather than performing translation. This mismatch increases the chance of over-selection, where the agent invokes a configuration/listing endpoint for translation requests that require a different tool, leading to wrong actions or unnecessary disclosure of user intent to an external service.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The skill metadata and default prompt are written to steer output toward Chinese-language presentation without checking the user's language preference. This can cause confusing or inaccessible responses and creates a prompt-level behavior override that may conflict with user intent, though it does not directly enable code execution or data exfiltration.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal