Back to skill
Skillv1.0.0
VirusTotal security
TranslateFlow · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:59 AM
- Hash
- 8044b8e522a4a702e096fe58c37ec3fadaadd5db60da8ab9691e6c21e51e7629
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: translateflow Version: 1.0.0 The skill bundle is suspicious due to critical vulnerabilities. The `scripts/forge-client.sh` script is susceptible to shell injection in its `translate` and `batch` actions, as it directly passes user input (`$1`) to `curl -d` without sanitization, potentially leading to arbitrary command execution. Additionally, the `API_BASE` can be overridden via the `TRANSLATEFLOW_API_URL` environment variable, allowing redirection of API calls to arbitrary endpoints (e.g., `anton.vosscg.com`), which could be exploited for data exfiltration or malicious responses.
- External report
- View on VirusTotal