ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

translateflow-api

v1.0.0

AI-powered translation services using TranslateFlow API - translation, translate text, language conversion, multilingual translation, language translation, d...

0· 275·0 current·0 all-time
by@jbennett111
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description match the instructions: the SKILL.md shows how to sign up for an API key and call TranslateFlow endpoints for text, batch, document, and domain-specific translation. There are no unrelated environment variables or binaries requested.
Instruction Scope
Instructions are focused on signing up and calling the TranslateFlow API via curl. They explicitly ask the agent to collect the user's email to create an API key and to upload files for document translation, which means user content (and files) will be sent to a third-party service. The skill does not detail how the API key should be stored securely.
Install Mechanism
No install spec or code files are present; this is an instruction-only skill, so nothing is written to disk by the skill itself.
Credentials
The skill does not request any environment variables, system config paths, or unrelated credentials. It will ask for a user email and an API key (appropriate for this purpose). The API key is sensitive; the SKILL.md lacks concrete guidance for secure storage.
Persistence & Privilege
always:false and default model invocation settings are used. The skill can be invoked autonomously by the agent (platform default) — combined with outbound network calls this increases the risk surface, but the setting itself is expected and not excessive.
Assessment
Before installing or using this skill, be aware it will transmit whatever text and uploaded files you provide to https://translateflow.vosscg.com. Verify the TranslateFlow service reputation and privacy/terms, avoid sending sensitive or confidential data (personal data, passwords, private keys, medical/legal secrets) to the service, and consider creating a dedicated or limited API key. The SKILL.md does not prescribe secure storage for the API key — plan to store credentials in a secure vault or agent config with restricted scope and revoke the key when done. If you allow the agent to call skills autonomously, monitor network activity and test first with non-sensitive sample data (or a disposable email) to confirm behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a4jcdya3aa9c26wr9x2b0cn829tx8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments