Openclaw I18n Skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real localization skill, but it needs Review because it can silently rewrite every assistant response and its scope is broader than consistently advertised.

Install only if you are comfortable with an automatic post-processor changing assistant responses before you see them. Avoid using it for code, legal/medical/safety-critical text, quoted material, names, identifiers, or mixed-language content unless you can inspect changes, disable the processor, and confirm the active language and supported-language list.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (17)

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The documentation claims French and Spanish are already 'Stable' even though the skill metadata says only Romanian and German are supported at launch. This can mislead users into enabling unsupported locales, causing incorrect text transformations, broken behavior, or unsafe reliance on functionality that does not actually exist.

Intent-Code Divergence

Low

Confidence: 84% confidence
Finding: The docs state that language preferences are stored across sessions, but this file provides no evidence of that behavior and no user-facing caveats about what is retained. Security-relevant documentation inaccuracies can cause incorrect operator assumptions about privacy, persistence, and system state.

Intent-Code Divergence

Low

Confidence: 88% confidence
Finding: The file advertises inconsistent confidence thresholds, stating auto-detection confirmation below 80% in one section while later claiming a conservative 95%+ threshold for false-positive minimization. Conflicting trust and accuracy claims can cause users to overestimate safety and rely on the post-processor in situations where it may make incorrect modifications.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The page advertises support for French and Spanish as stable and states the agent speaks those languages, while the skill metadata says only Romanian and German are supported at launch. This discrepancy can mislead users into enabling the skill in unsupported locales, causing incorrect post-processing, broken outputs, or unsafe assumptions about what transformations will be applied.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The implementation contradicts its own high-confidence safety claims by applying broad and semantically unsafe substitutions such as mapping 'schon' to 'schön', 'grosse' to 'größe', and including a global typo dictionary entry 'ss' -> 'ß'. In an i18n post-processing layer, this can silently corrupt user-visible text, names, addresses, or other data, undermining integrity and potentially causing downstream business or compliance issues.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The function explicitly documents that ambiguous 'si' versus 'sí' must never be changed, but then applies a blanket regex that rewrites every standalone 'si' to 'sí'. In an i18n post-processing layer, this can silently alter user meaning, commands, conditions, or quoted text, creating integrity and instruction-corruption risks rather than code execution risk.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The function claims to apply only high-confidence corrections, but it performs broad regex substitutions such as standalone replacements for common words like 'sa', 'in', and a final blanket '\bsi\b' -> 'și'. In an output post-processing layer, these unconditional transformations can silently change user-visible meaning, code-like text, commands, names, or mixed-language content, creating integrity and safety issues.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The stylesheet is a full marketing-site design system and does not implement the internationalization/localization behavior described by the skill manifest. This kind of capability mismatch is dangerous because it can conceal undeclared functionality, expand the attack surface, and undermine trust/reviewability of the skill package, especially when a supposedly narrow i18n skill ships unrelated web UI assets.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The presence of pricing, testimonials, FAQ, docs, changelog, and waitlist UI in an i18n/localization skill is unjustified by the stated functionality and indicates substantial hidden scope. Even though CSS alone is not executable malware, bundling unrelated product-marketing components can support deceptive presentation, unauthorized feature creep, or delivery of a disguised web experience that reviewers and users did not consent to.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README explicitly states that a Python post-processor cleans every response before it reaches the user, but it does not disclose this as a trust boundary change or warn that model outputs are being altered after generation. This can mislead operators and users about output provenance, mask errors or unwanted transformations, and create opportunities for silent manipulation of responses in safety-sensitive contexts.

Natural-Language Policy Violations

Medium

Confidence: 83% confidence
Finding: The documentation says the skill configures the agent to 'think in the correct language' with automatic language handling, but it does not make user control, consent, or fallback behavior clear. Automatic language steering can override user intent, cause responses in an unintended language, and interact dangerously with downstream instruction-following if language selection changes meaning, policy interpretation, or review visibility.

Natural-Language Policy Violations

Medium

Confidence: 78% confidence
Finding: Forcing replies into an auto-detected language without explicit user opt-in can override user intent and create unsafe misunderstandings, especially in multilingual or security-sensitive conversations. A misdetected language could cause the agent to answer in an unintended language, obscuring warnings, consent prompts, or critical instructions.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: Claiming cross-session persistence of language preferences without a clear warning about retained settings creates a privacy and transparency issue. In an agent context, retained preferences may reveal user identity, nationality, or communication habits and can surprise users if not disclosed and controllable.

Natural-Language Policy Violations

Medium

Confidence: 88% confidence
Finding: The copy claims the system 'configures your agent to think in the correct language' with auto-detection and locale-aware behavior, but it does not clearly describe user consent, control boundaries, or fallback behavior. In an agent skill context, silent language enforcement can alter outputs unexpectedly, override user intent, or cause the model to transform content in ways users did not authorize.

Natural-Language Policy Violations

Medium

Confidence: 92% confidence
Finding: The code does more than comment on bias: _is_stray_char unconditionally classifies multiple scripts (CJK, Cyrillic, Arabic, Devanagari, Greek, Thai, Hangul, Hebrew) as likely errors when mixed into Latin text, and remove_non_latin_characters can delete such characters from user content. In an i18n/l10n layer, this can silently corrupt legitimate multilingual input, names, quotations, addresses, or security-relevant text, creating integrity and trust issues without user opt-in.

Natural-Language Policy Violations

Medium

Confidence: 95% confidence
Finding: The skill hard-requires responses in an auto-detected or configured language and does not preserve an obvious user override path at response time. This can cause the agent to ignore explicit user preference, mis-handle multilingual or safety-critical interactions, and create accessibility or consent issues when language detection is wrong.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill states that every response is transparently passed through a post-processor before delivery, but users are not informed that model output is being modified. Silent modification can alter meaning, names, quotations, code, or regulated content, creating integrity, trust, and auditability risks—especially since the processor removes characters and rewrites text.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal