ClawHub

Translate CLI

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only guide for a translation CLI, with sensitive behaviors that are expected for translation workflows and user-controlled.

Installers should treat this as a guide for a CLI that may send text or file contents to configured providers and may overwrite files when explicitly commanded. Prefer environment variables or private local config for API keys, review custom base URLs, use dry-run or output-file modes before broad file operations, and avoid `--in-place --yes` unless the files are backed up or version-controlled.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation shows multiple `api_key` configuration fields but does not warn that these values are secrets that must be protected, excluded from source control, and handled carefully. In a config guide, this omission can lead users to store live credentials in plaintext files, paste them into shared examples, or commit them to repositories, increasing the chance of credential leakage and downstream account abuse.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The quickstart includes an in-place overwrite example using `--in-place --yes` without any adjacent warning that the original file will be destructively modified. In a documentation skill intended for end users, this can lead to accidental data loss or corruption if users copy-paste the command against important files without backups or review.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The provider setup section explains how to configure API keys for network-backed providers but does not warn that submitted text or files may be transmitted to third-party services. Because this skill is a quickstart for translating arbitrary stdin, text, and files, users may unknowingly send sensitive content to external providers, creating confidentiality and compliance risks.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal