ClawHub

Iflytek Translate

Security checks across malware telemetry and agentic risk

Overview

This appears to be a normal iFlytek translation skill, but users should understand that translated text is sent to a third-party service.

Install only if you are comfortable sending the text you ask it to translate, including file or stdin content, to iFlytek for processing. Avoid secrets, credentials, confidential business text, personal data, or regulated content unless you have approval for third-party translation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README clearly states the skill uses the iFlytek machine translation API, which means user-provided text is transmitted to a third-party service. However, it does not explicitly warn users that their input may leave the local environment and be subject to external processing, logging, retention, or jurisdictional privacy considerations. In a translation skill, users may paste sensitive documents or personal data, so the omission creates a real privacy and data-handling risk.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation examples include generic phrases such as '帮我翻译一下' that overlap with ordinary conversation and can cause the skill to trigger unintentionally. In context, accidental activation is more dangerous because the skill sends user-provided text to a third-party translation service, potentially disclosing content the user did not intend to transmit externally.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill documentation describes translation features but does not clearly warn users that input text is sent to iFlytek's external API for processing. This is a meaningful privacy issue because users may provide confidential, proprietary, or personal text under the assumption of local handling, while the skill actually transmits that content over the network to a third party.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends whatever text the user provides to the remote iFlytek translation API, but it does not clearly warn users at the point of use that their content leaves the local environment. This can expose sensitive or regulated data if a user assumes translation is local or does not realize the privacy implications of using an external service.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal