ClawHub

Image Translator 1.0.0

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward translation skill that sends user-selected text, images, or image URLs to documented third-party translation APIs, with privacy and key-handling cautions.

Install only if you are comfortable sending the text, image files, image URLs, and provided service keys to the Xiangji/tosoiot translation APIs. Avoid confidential, regulated, internal-only, or secret-bearing content unless that provider is approved for your use case, and prefer safer key handling than pasting real keys directly into command lines.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs users to send text, local image files, and image URLs to third-party translation services, but it does not warn about privacy, confidentiality, or data-handling implications. This can lead users to transmit sensitive content, credentials visible in screenshots, or regulated data to external providers without informed consent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script sends both user-provided text and an API key to a third-party remote service, but it does not clearly warn users that their input will leave the local environment. This can expose sensitive text or credentials if the script is used on confidential content, and the risk is increased because the transfer is the core behavior of the tool rather than an incidental side effect.

External Transmission

Medium
Category
Data Exfiltration
Content
| 功能 | 端点 |
|------|------|
| 文本翻译 | `POST https://api.tosoiot.com/task/v1/text/translate` |
| 图片翻译(文件) | `POST https://api2.tosoiot.com/` |
| 图片翻译(URL 批量) | `POST https://api.tosoiot.com/` |
Confidence
90% confidence
Finding
https://api.tosoiot.com/

External Transmission

Medium
Category
Data Exfiltration
Content
|------|------|
| 文本翻译 | `POST https://api.tosoiot.com/task/v1/text/translate` |
| 图片翻译(文件) | `POST https://api2.tosoiot.com/` |
| 图片翻译(URL 批量) | `POST https://api.tosoiot.com/` |

---
Confidence
90% confidence
Finding
https://api.tosoiot.com/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal