ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Translate Image

v1.0.3

Translate text in images, extract text via OCR, and remove text using TranslateImage AI. Use when user says 'translate image', 'OCR image', 'extract text fro...

1· 585·5 current·5 all-time
by@cottom
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and description match the instructions: the skill sends images to https://translateimage.io for translate/OCR/remove-text operations and expects an API key. However, registry-level metadata reported earlier (no required env or binaries) contradicts the SKILL.md, which declares TRANSLATEIMAGE_API_KEY and requires curl and python3. That mismatch is a coherence problem in the package metadata.
Instruction Scope
SKILL.md stays within the stated purpose: it documents POST endpoints, required form fields, and example curl/python snippets for decoding base64 images. It only instructs fetching images that the user explicitly provides and uses /tmp for temporary files. It does not instruct reading unrelated files or other environment variables.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk by the skill package itself. That lowers installation risk.
Credentials
The single required secret (TRANSLATEIMAGE_API_KEY) is appropriate for a third‑party REST API integration. The concern is the inconsistency between SKILL.md (which requires the env var) and the registry summary (which listed no required env vars). If the platform doesn't surface this requirement to you, the skill may fail or silently attempt to use an unset variable.
Persistence & Privilege
The skill is not always-enabled, is user-invocable, does not request persistent system privileges, and does not modify other skills' configs. Autonomous invocation is allowed (platform default) but not combined with other worrying privileges.
What to consider before installing
This skill appears to do what it claims (send images to translateimage.io for OCR/translation/inpainting). Before installing: 1) Verify the publisher and the translateimage.io domain (no homepage/source was provided here). 2) Be aware it requires TRANSLATEIMAGE_API_KEY and expects curl and python3 — the package metadata omitted those, so confirm the platform will prompt for the API key. 3) Any image you process is uploaded to an external service — do not send sensitive or private images unless you trust the service and its privacy policy. 4) The skill may download user-provided image URLs (follow SKILL.md guidance: only fetch URLs the user explicitly supplies); avoid giving internal or sensitive URLs to prevent SSRF/data-leakage risks. If you rely on this skill, prefer obtaining the API key from the official site and verifying the publisher identity first.

Like a lobster shell, security has layers — review code before you run it.

latestvk9744yhstn1ed7ka93z89ap5r982mnyq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments