Straker Verify
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a legitimate Straker translation skill, but it uses your Straker API key and can send text or files to Straker, including for optional human review.
Before installing, verify that you trust the Straker publisher and API endpoint, keep STRAKER_VERIFY_API_KEY secure, and only ask the assistant to upload files or confirm projects when you are comfortable with the content, cost, and any human-review implications.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, the assistant could submit or confirm a translation job the user did not intend.
The skill documents account-mutating API operations that can create and confirm translation projects. This is purpose-aligned, but project confirmation may have business or cost implications.
### Confirm Project Required when `confirmation_required=true`: ```bash curl -X POST https://api-verify.straker.ai/project/confirm
Review project details, files, target languages, and any pricing or confirmation step before asking the assistant to create or confirm a project.
Anyone or any agent process with access to the environment variable may be able to use the Straker API under the user's account.
The skill requires a Straker API key and uses it as a Bearer token for authenticated API calls. This is expected for the integration, but it gives the assistant access to the user's Straker account capabilities.
All requests (except `/languages`) require Bearer token authentication: ```bash curl -H "Authorization: Bearer $STRAKER_VERIFY_API_KEY"
Store the API key securely, rotate it if exposed, and use the least-privileged key available from Straker if supported.
Users may have less assurance that the registry package is officially published by Straker.
The registry metadata does not provide a verified source, although the SKILL.md claims a Straker repository and homepage. Because this is instruction-only and has no executable code, this is a provenance note rather than a concern.
Source: unknown
Verify the publisher, homepage, and API documentation before adding the API key or sending sensitive documents.
Private or regulated content could be uploaded to Straker and, for human verification, reviewed by people.
The documented workflows send user files to an external provider and optionally to human reviewers. This is central to the skill's purpose and is disclosed, but it crosses a data boundary.
curl -X POST https://api-verify.straker.ai/project \ -F "files=@document.txt" ... ### Human Verification Add professional human review to translations
Only send documents you are allowed to share with Straker and human reviewers, and review Straker's privacy, retention, and compliance terms for sensitive content.