translateflow-api

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This is a coherent translation API skill, but it sends user content and signup details to an external provider and requires careful API-key handling.

Install only if you trust TranslateFlow and are comfortable sending translation content to its API. Replace the placeholder key with your own, store the real key securely, and avoid uploading confidential or regulated documents unless the provider's terms are acceptable.

Static analysis

Exposed secret literal

Critical

Finding: File appears to expose a hardcoded API secret or token.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI03: Identity and Privilege Abuse

Low

What this means

The agent may help create and use a TranslateFlow API key tied to the user's email address.

Why it was flagged

The skill asks for a personal email and creates/stores a provider API key. This is purpose-aligned, but credential scope and storage are not declared in metadata.

Skill content

Ask the user for their email address to create a free TranslateFlow account. ... Save the API key securely for future use.

Recommendation

Use a dedicated API key, store it in a trusted secret manager or environment variable, and revoke it if you stop using the service.

#ASI07: Insecure Inter-Agent Communication

Medium

What this means

Confidential text or documents submitted for translation would be sent to translateflow.vosscg.com.

Why it was flagged

The documented workflow uploads user-selected documents and text to an external provider for translation. This is core functionality, but private content could be exposed to that provider.

Skill content

curl -X POST https://translateflow.vosscg.com/v1/documents/translate ... -F "file=@document.pdf"

Recommendation

Only send content you intend to share with the provider, and review the provider's privacy and retention terms before translating sensitive material.

#ASI04: Agentic Supply Chain Vulnerabilities

Info

What this means

Users have less registry-provided context for deciding whether to trust the external translation service.

Why it was flagged

The registry metadata provides limited provenance for the skill or external API provider, making it harder for users to verify the operator before sending data.

Skill content

Source: unknown; Homepage: none

Recommendation

Verify the TranslateFlow provider and domain out-of-band before sending signup information, API keys, or sensitive documents.