Back to skill
Skillv1.0.0
ClawScan security
CamScanner Translate Image · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 30, 2026, 7:57 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions align with its stated purpose (upload an image to CamScanner, translate it, and download a rendered result); there are no unrelated credentials, installs, or hidden actions.
- Guidance
- This skill is coherent for translating images, but it uploads your images to CamScanner's servers. Do not use it with sensitive images (IDs, passports, private documents, screenshots containing secrets) unless you trust CamScanner's service and privacy policy. Ensure curl and jq are installed and that you specify safe input/output paths. If you need offline translation or cannot permit external uploads, seek an offline OCR/translation tool instead. If you want higher assurance, test with non-sensitive images first and confirm the service behavior and domain (ai-tools.camscanner.com / open.camscanner.com) before sending private data.
Review Dimensions
- Purpose & Capability
- okName and description (image translation preserving layout) match the SKILL.md: it uses an upload → translate → download pipeline against CamScanner endpoints and only requires curl and jq, which are reasonable for the provided curl-based examples.
- Instruction Scope
- noteInstructions explicitly upload user-specified local image files to CamScanner servers (ai-tools.camscanner.com) and save output to a local path; this is expected for the stated function but has privacy implications because user files are sent off-host. The SKILL.md does not attempt to read unrelated system files or environment variables.
- Install Mechanism
- okInstruction-only skill with no install spec and no bundled code — lowest-risk installation footprint. It relies on existing system binaries (curl, jq) only.
- Credentials
- okThe skill requests no environment variables, secrets, or configuration paths. The lack of credentials is coherent because the API appears to accept anonymous uploads in the documented flow.
- Persistence & Privilege
- okalways:false and no self-modifying install actions. The skill does not request permanent platform privileges or modify other skills/configuration.