Excel Translator

The skill is classified as suspicious due to two key vulnerabilities. First, the `SKILL.md` instructions for executing `scripts/translate.py` directly embed a user-provided file path into a shell command, creating a shell injection vulnerability if the OpenClaw agent does not properly sanitize the input. Second, `scripts/translate.py` attempts to load API credentials from `~/.openai/secret` before falling back to environment variables, posing an information disclosure risk by accessing a potentially sensitive file outside the expected environment variables. There is no evidence of intentional malicious behavior such as data exfiltration to unauthorized endpoints or installation of backdoors.