ClawHub

Mongolian AI for Codex

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Mongol Open Idea API integration that uses the user's own API key for Mongolian translation and media tasks, with no evidence of hidden persistence, credential theft, or destructive behavior.

Install only if you are comfortable sending the relevant Mongolian text, audio, images, or documents to the Mongol Open Idea API using your own API key. Keep the key in MONGOL_OPEN_IDEA_API_KEY, do not paste it into chat, and review charges before long text, document, OCR, ASR, or TTS jobs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Natural-Language Policy Violations

Medium
Confidence
83% confidence
Finding
Mandating a fixed Chinese billing line regardless of user locale can cause unintended disclosure of account billing information in contexts where the user did not request it or cannot read it. In a multilingual translation skill, forcing a non-user-selected language and always appending billing details increases the chance of confusion, accidental exposure in copied outputs, and poor consent around paid-operation metadata.

Natural-Language Policy Violations

Medium
Confidence
97% confidence
Finding
The default prompt hard-codes a specific task—translating Chinese text into traditional Mongolian—without reflecting user intent or requiring explicit opt-in. This can cause the skill to steer requests into an unintended language pair, leading to incorrect outputs, user confusion, or accidental processing of sensitive text under the wrong workflow.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal