ClawHub

Mongol AI Skill 蒙古语AI技能

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Mongolian-language API connector that sends chosen text, files, images, or audio to mongol.open-idea.net using the user’s own API key.

Install only if you are comfortable sending the content you translate, OCR, transcribe, synthesize, or process as documents to mongol.open-idea.net under your own API key and billing account. Avoid sensitive or regulated data, confirm large or paid jobs, and explicitly choose the OCR script when the image may be Cyrillic or mixed-language.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The routing guide hard-codes OCR to default to `language=mw` unless the caller explicitly switches to Cyrillic `mn`. This can cause the agent to process user images under the wrong locale/script without user confirmation, leading to inaccurate extraction, mistranslation, and unintended transmission of content to an external API in a way the user did not clearly request.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The documentation instructs callers to use a default OCR language of `mw` unless manually changed, which can cause the agent to process user input with an incorrect language setting without explicit user consent or confirmation. In this skill, requests are sent to an external API, so silent defaulting can degrade accuracy, produce misleading output, and increase privacy risk if users do not realize what is being sent or how it is being interpreted.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal