Back to skill
Skillv0.1.0
ClawScan security
Naver Papago Translate · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 17, 2026, 2:30 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, runtime instructions, and required credentials align with a simple Naver Papago translation client and do not request unrelated access.
- Guidance
- This package appears to be a straightforward Papago API client. Before installing: (1) Confirm you trust the package source (check the GitHub repo and recent commits) or install directly with pip from the repository to ensure integrity. (2) Provide only a Papago app's client ID/secret (no other credentials). (3) Avoid running with --verbose in environments where logs are captured, since debug output can reveal more context (the code does not log credentials but verbose prints error/debug messages). (4) If you operate in a high-security environment, prefer creating a Naver app with scoped credentials and rotate them if they are exposed. Finally, the installer kind 'uv' is registry-specific — if unsure, use pip install from the repository or PyPI.
Review Dimensions
- Purpose & Capability
- okName/description match the requested artifacts: python3, NAVER_CLIENT_ID and NAVER_CLIENT_SECRET are exactly what a Papago API client needs. Declared binaries and package entry point correspond to the CLI implemented in the source.
- Instruction Scope
- okSKILL.md and README instruct only to call Naver Papago endpoints and to read input text (argv or user-specified file). No instructions to read unrelated files, system configuration, or transmit data to any endpoint other than openapi.naver.com.
- Install Mechanism
- noteInstall spec uses 'uv' packaging to provide the papago-translate binary; source includes a normal Python package (pyproject.toml) and pip install instructions. 'uv' is an uncommon installer kind in this registry — verify the registry source or prefer installing from the published PyPI/GitHub source if you want reproducibility.
- Credentials
- okOnly NAVER_CLIENT_ID and NAVER_CLIENT_SECRET are required, which is proportionate for an API client. The code reads only these env vars (or CLI overrides) and does not request additional unrelated secrets or configs.
- Persistence & Privilege
- okalways:false (not force-included). The skill does not request persistent system-level configuration changes or modify other skills. Autonomous invocation is allowed by default but is standard for skills; nothing else elevates its privileges.