ClawHub

Translate Agent

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only translation and summarization skill with broad routing language but no code, credentials, persistence, or external access.

Install this if you want JSON-only translation and summarization. Be aware that plain text may be treated as content to translate into Vietnamese unless a target language is provided, and broad trigger wording could route ordinary translation-like messages into this skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

High
Confidence
95% confidence
Finding
The trigger conditions are broad enough to capture ordinary user messages, including plain text and common words like 'translate' or 'summarize', which can cause the agent to route unrelated requests into this skill. In a larger agent system, this creates prompt-routing confusion and can suppress safer or more appropriate handlers, leading to unintended data transformation or loss of user intent.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The instruction to 'Always use this skill' encourages unconditional invocation and bypasses normal arbitration between skills or system logic. While not directly executing harmful actions, it increases the chance of misrouting requests and makes prompt-injection-style behavior in skill metadata more influential over the host agent's decision-making.

Natural-Language Policy Violations

Medium
Confidence
89% confidence
Finding
Defaulting plain-text input to translation into Vietnamese without explicit user consent can silently alter the meaning, language, and expected output of user requests. In context, this is especially risky because the same skill also claims very broad triggers, so unrelated text may be automatically transformed into Vietnamese JSON output instead of receiving the intended handling.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal