Skillv1.0.0

ClawScan security

Baidu Text Translate · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 20, 2026, 9:47 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions match its translation purpose, but the manifest and SKILL.md disagree about required binaries, install steps, and config paths—these inconsistencies warrant caution before installing or running it.
Guidance: This skill appears to do what it says (wrap trans-cli for Baidu translation), but there are inconsistencies between the SKILL.md and the registry manifest you should resolve before installing: 1) Confirm the trans binary requirement and whether the skill intends to install @bdtrans/trans-cli via npm. 2) Verify the npm package name (@bdtrans/trans-cli) and inspect its source repository and npm page for trustworthiness (owner, downloads, recent releases). 3) Be aware you must supply a Baidu TRANS_API_KEY or write it to ~/.trans-cli/config.json; check that file's permissions and contents before saving secrets there. 4) Prefer installing trans-cli yourself or reviewing the package code rather than blindly running the skill's install step. 5) If you need certainty, ask the skill author to fix the manifest so required env vars, bins, and install steps are declared consistently.

Review Dimensions

Purpose & Capability: noteThe SKILL.md describes a translation helper that uses trans-cli to call Baidu's Translation API — that purpose is coherent with the described actions (trans text, trans doctor, trans config). However the top-level registry metadata/manifest claims no required binaries or config paths, while the SKILL.md metadata clearly declares the trans binary and an npm install for @bdtrans/trans-cli. This mismatch is unexpected and should be resolved by the author.
Instruction Scope: okRuntime instructions are narrowly scoped to running trans-cli commands, parsing its JSON output, diagnosing via `trans doctor`, and reading/writing the trans-cli config (~/.trans-cli/config.json) or TRANS_API_KEY. The skill does not instruct collecting unrelated files or secrets beyond the API key and config file. It explicitly states the agent cannot obtain the key for the user.
Install Mechanism: noteSKILL.md contains metadata that suggests an npm install of @bdtrans/trans-cli (a public npm package) which is a reasonable install mechanism. But the registry-level install spec is reported as absent — another inconsistency. Installing from a public npm package is moderate-risk (verify package provenance and source); there are no high-risk direct-download URLs in the instructions.
Credentials: concernThe skill requires an API key (TRANS_API_KEY or config file field api_key) to function per SKILL.md. The top-level manifest, however, lists no required env vars or config paths. The requested credential (Baidu API key) is proportionate to the stated purpose, but the manifest/metadata disagreement is a red flag: the skill may assume access to ~/.trans-cli/config.json and TRANS_API_KEY even though the registry doesn't declare them.
Persistence & Privilege: okThe skill does not request always:true or any special persistent privileges. It documents how to write the API key to the trans-cli config, but explicitly says the agent cannot perform the developer portal steps — no unexpected autonomous escalation is indicated.