Skillv1.0.0

ClawScan security

Image Translator 1.0.0 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 16, 2026, 8:36 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions align with an image/text translation service, but there are small mismatches you should be aware of before use (missing declared binary and different API hostnames).
Guidance: This package appears to implement a legitimate translation tool, but check a few things before installing or running it: - Ensure you trust the remote API hosts (api.tosoiot.com and api2.tosoiot.com). The SKILL.md mentions xiangjifanyi.com as the service/site, while the scripts post to tosioit domains — confirm these are correct and trusted endpoints for your keys and data. - The image upload script uses the local curl binary (subprocess.run(['curl', ...])). Make sure curl is available on the host. The skill metadata did not declare curl as a required binary. - The tool requires you to supply service keys (TextTransKey, ImgTransKey, UserKey). These keys will be sent to the remote API; only use keys you intend to share with this third-party service and avoid reusing high-privilege credentials. - Review the service's privacy/terms on the vendor website (links are in SKILL.md) to understand how uploaded images/text are stored or processed. - Minor metadata oddities (owner/published timestamps and the differing domains) are not proof of maliciousness but are worth verifying with the skill author or vendor if you need higher assurance.

Review Dimensions

Purpose & Capability: noteThe name/description match the included scripts: both text_translate.py and image_translate.py implement calls to remote translation APIs. However, the runtime scripts invoke the curl binary for file uploads while the skill metadata lists no required binaries — curl is therefore a missing declared requirement. Otherwise the requested inputs (API keys, image file or URLs) are consistent with a translator.
Instruction Scope: okSKILL.md and the scripts limit actions to uploading text/images and receiving translation responses. The instructions ask the user to provide API keys (via CLI args) and do not instruct reading unrelated local files or environment variables. The scripts only send data to the declared API endpoints; they do not attempt to access other system secrets.
Install Mechanism: okThere is no install spec (instruction + scripts only), so nothing is downloaded or written during install. The scripts run using standard Python libraries and subprocess/curl for file uploads; no external packages or archive downloads are performed.
Credentials: okThe skill requires translation service keys (passed as CLI args) which is proportionate to the task. It does not demand unrelated environment variables or credentials. Keys are used to compute a simple MD5-based signature and to authenticate API calls.
Persistence & Privilege: okThe skill does not request persistent/always-on privileges and does not modify other skills or system-wide configuration. Normal autonomous invocation settings remain unchanged (default).