Xtranslate
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Xtranslate mostly matches a document-translation tool, but its API-key storage is weakly protected and its safety claims should be reviewed before use.
Before installing, avoid the saved API-key feature unless it is fixed; use environment variables or an OS keychain instead. Use local translation for confidential files, choose narrow folders for batch mode, and periodically delete translation_monitor.json if paths are sensitive.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
API keys saved through the tool may not be strongly protected and could be reused for paid provider access if local files are exposed.
The credential-encryption helper derives its key from a hard-coded password and salt and accepts plaintext values for compatibility. In the context of the documented/GUI API-key save feature, saved provider keys would be reversible by anyone who can access the stored ciphertext and this code.
def __init__(self, password="Xtranslate_Secret_Key"): ... salt = b'xtranslate_salt' ... if not encrypted_text or not encrypted_text.startswith("gAAAA"): return encrypted_textPrefer environment variables or an OS keychain for API keys. If local key storage remains, use a per-user secret, disclose the storage path, and provide clear key deletion and rotation guidance.
A user may trust the saved-key feature more than they should and store valuable API credentials in a weakly protected local form.
This claim overstates the protection shown in the provided implementation, which uses a fixed code-known encryption secret rather than a user- or OS-protected secret.
✅ **API加密** - API Key加密存储,确保安全 / **API Encryption** - Encrypt API Key storage to ensure security
Reword the documentation to accurately describe the protection level, or replace the implementation with secure credential storage before encouraging users to save keys.
Confidential document contents may leave the local machine during cloud translation.
The skill supports cloud translation through third-party provider endpoints, and translated document text may be sent to those providers when cloud mode is selected.
CLOUD_MODEL_GPT4O_BASE_URL=https://api.openai.com/v1 ... CLOUD_MODEL_CLAUDE_BASE_URL=https://api.anthropic.com/v1 ... CLOUD_MODEL_CUSTOM_ENV_KEY=CUSTOM_API_KEY
Use the local Ollama engine for sensitive documents, or confirm the chosen provider's data-retention and privacy terms before using cloud mode.
Local history files may reveal which documents were translated and where they are stored.
The monitor persists translation history to a local JSON file, including file paths, engine choices, language targets, timings, and errors.
"file_path": str(file_path), "engine": engine, "target_lang": target_lang ... self.records.append(record); self.save_records()
Document the log location, offer a cleanup option, and avoid running the skill from shared directories when filenames or paths are sensitive.
If the user points the tool at a large or sensitive folder, many documents could be read, translated, logged, and potentially sent to a cloud provider.
Batch mode recursively collects all supported files under a selected directory. This is purpose-aligned, but a broad directory selection could process more private files than intended.
elif os.path.isdir(target_path):
for root, dirs, filenames in os.walk(target_path): ... files.append(os.path.join(root, filename))Use narrowly scoped folders, preview the file list before translation, and prefer explicit confirmation for large batch runs.
The installed dependency set may vary over time, which can affect reliability and supply-chain exposure.
Dependencies are listed without version pins or hashes, and the metadata provides no install specification. Manual installation could pull changing package versions from package indexes.
python-docx pdf2docx openai jieba cryptography customtkinter ollama translate openpyxl python-pptx striprtf
Install in a virtual environment, pin dependency versions, and prefer reviewed lockfiles or hashes before production use.