Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
TranslateFlow
v1.0.0AI translation via TranslateFlow API — multi-language content translation, localization, tone adaptation, batch translation. Use when user needs text transla...
⭐ 0· 356·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to be a TranslateFlow API client (translation, tone, batch) and the script and SKILL.md call translation endpoints at https://anton.vosscg.com, which is coherent with the stated purpose. However, the registry metadata declares no required environment variables or primary credential while the SKILL.md and scripts clearly require either TRANSLATEFLOW_API_KEY or TRANSLATEFLOW_EMAIL at runtime. This metadata/instruction mismatch is unexplained and reduces trust.
Instruction Scope
Runtime instructions and the provided script only call the service's endpoints (/v1/translate, /v1/translate/batch, /v1/keys, /v1/health) and do not attempt to read arbitrary local files or other credentials. That scope is appropriate for a translation client. Note: instructions recommend auto-signup by POSTing an email to the service, which will transmit the user's email to the remote host; this is within the skill's purpose but is a privacy consideration that should have been declared.
Install Mechanism
No install spec is present (instruction-only). The only shipped code is a small shell script that calls the API. Nothing is downloaded or extracted at install time, which is low risk.
Credentials
The runtime requires either TRANSLATEFLOW_API_KEY or TRANSLATEFLOW_EMAIL (and optionally TRANSLATEFLOW_API_URL) but the skill metadata lists no required env vars or primary credential — an incoherence. The script will send the provided email to an opaque domain to obtain an API key, and it prints the received API key to stderr (echo '✅ Free key: $API_KEY' >&2), which could expose keys in agent logs or monitoring. Requiring an email and returning/printing a key is plausible for signup, but the missing declaration and the stderr leak are concerning.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It does not modify other skills or system-wide configurations. Autonomous invocation is allowed (platform default) but not a special risk here on its own.
What to consider before installing
Before installing, confirm you trust the endpoint (https://anton.vosscg.com) and the publisher — the package has no homepage/source listed. Be aware the skill will either (a) ask you to provide an API key or (b) POST your email to the service to obtain a key; it will print the key to stderr which may leak into logs. Ask the publisher to update the registry metadata to declare required env vars (TRANSLATEFLOW_API_KEY or TRANSLATEFLOW_EMAIL) and to avoid printing secrets to stderr. If you decide to use it, prefer providing an explicit API key (not an email for auto-signup), run it in an isolated environment, and verify the API base URL (TRANSLATEFLOW_API_URL) before setting it.Like a lobster shell, security has layers — review code before you run it.
latestvk97dhy9b3j4m0cx13mdsfyjt7d826vmz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.