Back to skill
Skillv1.0.0
ClawScan security
translateflow-api · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 4, 2026, 10:19 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requests and instructions are consistent with a translation API client: it guides obtaining a TranslateFlow API key and sending text/files to translateflow.vosscg.com, but it will transmit user content and an API key to a third party and doesn't specify secure key storage.
- Guidance
- Before installing or using this skill, be aware it will transmit whatever text and uploaded files you provide to https://translateflow.vosscg.com. Verify the TranslateFlow service reputation and privacy/terms, avoid sending sensitive or confidential data (personal data, passwords, private keys, medical/legal secrets) to the service, and consider creating a dedicated or limited API key. The SKILL.md does not prescribe secure storage for the API key — plan to store credentials in a secure vault or agent config with restricted scope and revoke the key when done. If you allow the agent to call skills autonomously, monitor network activity and test first with non-sensitive sample data (or a disposable email) to confirm behavior.
Review Dimensions
- Purpose & Capability
- okThe name/description match the instructions: the SKILL.md shows how to sign up for an API key and call TranslateFlow endpoints for text, batch, document, and domain-specific translation. There are no unrelated environment variables or binaries requested.
- Instruction Scope
- noteInstructions are focused on signing up and calling the TranslateFlow API via curl. They explicitly ask the agent to collect the user's email to create an API key and to upload files for document translation, which means user content (and files) will be sent to a third-party service. The skill does not detail how the API key should be stored securely.
- Install Mechanism
- okNo install spec or code files are present; this is an instruction-only skill, so nothing is written to disk by the skill itself.
- Credentials
- okThe skill does not request any environment variables, system config paths, or unrelated credentials. It will ask for a user email and an API key (appropriate for this purpose). The API key is sensitive; the SKILL.md lacks concrete guidance for secure storage.
- Persistence & Privilege
- okalways:false and default model invocation settings are used. The skill can be invoked autonomously by the agent (platform default) — combined with outbound network calls this increases the risk surface, but the setting itself is expected and not excessive.