Back to skill
Skillv1.0.1
ClawScan security
Oatda Translate Audio · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 26, 2026, 6:31 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are consistent with a simple audio-translation wrapper for OATDA's API: it only needs curl/jq and an OATDA API key (from ~/.oatda/credentials.json) and its commands call oatda.com endpoints.
- Guidance
- This skill will read an OATDA API key from ~/.oatda/credentials.json (or the OATDA_API_KEY env var) and upload audio to oatda.com for translation. Only install if you trust OATDA to process your audio and you are comfortable storing/using an API key from that config file. Recommended precautions: use a scoped/minimal API key if supported, rotate the key if compromised, avoid uploading sensitive audio unless the service's privacy policy is acceptable, and ensure curl/jq are available and from trusted system packages.
Review Dimensions
- Purpose & Capability
- okName/description match the declared requirements and instructions: the SKILL.md only calls OATDA endpoints, needs curl and jq, and reads the configured OATDA API key. There are no unrelated services or credentials requested.
- Instruction Scope
- okInstructions are narrowly scoped to preparing audio input, resolving the OATDA API key from the declared config path or env var, and POSTing to https://oatda.com/api/v1/llm/translations. The skill does read ~/.oatda/credentials.json to obtain the API key (which is declared as a required config path). It does not instruct the agent to access other system files or external endpoints beyond OATDA.
- Install Mechanism
- okThis is an instruction-only skill with no install spec or downloaded code, which minimizes risk. It assumes existing system tools (curl, jq) instead of installing arbitrary packages.
- Credentials
- okOnly OATDA_API_KEY and the ~/.oatda/credentials.json path are required, which is proportionate for a wrapper that calls OATDA's API. No unrelated secrets or multiple credential types are requested.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request elevated platform privileges or modify other skills. Autonomous invocation is allowed by default (normal), but the skill does not combine that with broad or unrelated access.