Straker Verify - AI Translation & Human Review
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: straker-verify Version: 1.0.0 The OpenClaw skill bundle for 'straker-verify' is benign. All instructions in SKILL.md and README.md are clearly aligned with its stated purpose of providing AI translation and human verification services via the Straker.ai API. The skill properly requests an API key via an environment variable (STRAKER_VERIFY_API_KEY) and uses it for authentication to the legitimate domain `https://api-verify.straker.ai`. There is no evidence of data exfiltration to unauthorized endpoints, malicious execution, persistence mechanisms, prompt injection attempts against the agent, or obfuscation. File operations (uploading source files, downloading translated files) are directly related to the skill's core functionality.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, the agent could submit the wrong file or create a translation project the user did not intend.
The skill documents authenticated API calls that create translation projects and upload files. This is expected for a translation service, but project creation and file upload should remain user-directed.
curl -X POST https://api-verify.straker.ai/project \ -H "Authorization: Bearer $STRAKER_VERIFY_API_KEY" \ -F "files=@document.txt" \ -F "languages=<language-uuid>"
Confirm the exact files, target languages, and whether a project or human review should be created before sending content to the API.
Requests made through the skill may be associated with the user's Straker account and could consume account resources or access projects allowed by that key.
The skill requires a Straker API key and uses it as a bearer token for authenticated service access. This is appropriate for the integration but gives the agent delegated access to the user's Straker account.
All requests (except `/languages`) require Bearer token authentication: ... Authorization: Bearer $STRAKER_VERIFY_API_KEY
Use a dedicated, revocable API key with the minimum permissions needed, and avoid sharing the key in chat or files.
Sensitive documents submitted for translation or human review may leave the local environment and be processed by Straker or its reviewers.
The skill can send user content to an external provider and, for human verification, potentially to human reviewers. This is disclosed and purpose-aligned, but it affects data handling expectations.
Human Verification: Professional human review for critical content ... curl -X POST https://api-verify.straker.ai/human-verify ... -F "files=@translated.txt"
Review Straker's privacy and data-handling terms before sending confidential, regulated, or proprietary content.