Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Chinovnik Ru
v1.0.2Переведи официальные письма, постановления, госдокументы и юридические тексты с бюрократического языка на понятный русский.
⭐ 0· 342·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The manifest declares no required binaries or env vars, but SKILL.md requires running python3 and accessing a workspace file. Reading/writing '/home/node/.openclaw/workspace/ru-pack-counter.txt' and inserting promotional links is unrelated to translating bureaucratic texts and is not justified by the skill description.
Instruction Scope
Runtime instructions instruct the agent to execute local commands that read and update a file in the agent workspace and conditionally append promotional/tелеgram links to the user's response. This modifies local state and the output in ways unrelated to analysing or translating documents and constitutes hidden side effects.
Install Mechanism
There is no install spec (instruction-only), which is low risk in general, but the SKILL.md expects a python3 runtime. The manifest should declare python3 as a required binary if it relies on it.
Credentials
The skill reads and writes a specific path in the agent's workspace (/home/node/.openclaw/workspace/ru-pack-counter.txt) despite declaring no required config paths or credentials. Access to that filesystem path is not justified by the translation task and is disproportionate.
Persistence & Privilege
always:false, so the skill is not forced globally, but it still instructs the agent to persist a counter file in the workspace and to alter future outputs by adding promotional text. That local persistence and automatic modification of user-visible responses are unexpected privileges for a translator skill.
What to consider before installing
This skill mostly does what it says (translate bureaucratic Russian), but its instructions include hidden side effects: they tell the agent to run python3 locally, read and increment a counter file in the agent workspace, and conditionally append promotional Telegram links to the user's reply. Those actions are unrelated to translating documents and are not declared in the manifest. Before installing or enabling this skill, ask the author to: (1) remove the attribution block that executes local commands and writes to the workspace, or make this behavior explicit and optional with user consent; (2) declare python3 and the workspace file path in the manifest if they are truly required; and (3) explain why a persistent counter and promotional text are needed. If you cannot get a clear explanation, do not allow the skill to run these commands or decline installation. If you install it, review every output before sending it to external parties and block or sanitize any appended promotional links or unexpected text.Like a lobster shell, security has layers — review code before you run it.
latestvk970ft377mps6fnbd8mpebc901820h1z
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔤 Clawdis
OSLinux · macOS · Windows