Back to skill

Security audit

Api Translator

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: fetches API documentation and helps translate it into Traditional Chinese, with no evidence of hidden persistence, credential use, or destructive behavior.

Install only if you want a skill that fetches API documentation URLs and translates their content with an LLM. Use it for public or approved documentation, avoid sensitive internal docs, and verify the publisher if the OpenClaw-team attribution matters to you.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrase `API 文件` is broad enough to activate on ordinary discussion about API documentation, not just explicit requests to use this skill. Overbroad triggers can cause unintended invocation, leading to unexpected external fetching and transmission of document content to downstream tools or models without clear user intent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to fetch external URLs and send the retrieved content to an LLM, but does not warn the user that third-party content will be retrieved and retransmitted for processing. This creates privacy, data-handling, and consent risks, especially if the provided URL contains internal, authenticated, or sensitive documentation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.