Translate Image
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Images processed with this skill are sent to TranslateImage, so private or sensitive image contents may leave the user's device.
The skill explicitly uploads the user's image file to an external provider for processing. This is purpose-aligned and disclosed, but images may contain private documents, screenshots, or personal information.
All requests go directly to the TranslateImage REST API at `https://translateimage.io` using curl ... -F "image=@$IMAGE_PATH"
Use the skill only with images you are comfortable uploading to translateimage.io, and check the provider's privacy and retention terms for sensitive content.
Anyone with the API key could potentially use the user's TranslateImage account or quota.
The skill uses a bearer API key for the TranslateImage service. This is expected for an API-backed integration, and the artifacts do not show hardcoding or leaking the key.
export TRANSLATEIMAGE_API_KEY=your-api-key ... Authorization: Bearer $TRANSLATEIMAGE_API_KEY
Store the API key securely, avoid pasting it into shared logs or chats, and rotate it if it is exposed.
Users may not be warned by the registry that the skill needs an API key and local curl/python3 commands before they try to use it.
The skill's own frontmatter declares an API key and local binary dependencies, while the supplied registry requirement summary says no required env vars or binaries. This is an install-time metadata gap rather than hidden behavior.
requires:\n env:\n - TRANSLATEIMAGE_API_KEY\n bins:\n - curl\n - python3
Confirm the API key and local command requirements before installing or invoking the skill.