Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
json文件翻译
v1.0.0翻译JSON文件中的文本内容,特别是description字段。当用户提到需要翻译JSON文件、翻译JSON中的字段内容、翻译description字段,或者需要将JSON文件翻译成其他语言时,使用此技能。这个技能非常适合处理产品描述、API文档、配置文件、数据集等需要多语言翻译的JSON内容。
⭐ 0· 59·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name/description and the provided script align: the tool translates specified JSON string fields (default 'description') using an online API and writes a translated JSON. Nothing in the metadata requests unrelated credentials or system access. However, SKILL.md and README claim use of two translation services (MyMemory + LibreTranslate) and 'automatic downgrade' behavior; the script only calls MyMemory. This mismatch between claimed capability and actual implementation is unexpected.
Instruction Scope
SKILL.md instructs the agent to run scripts/translate_json.py and describes recursive field detection and fallback translation. The script does perform recursive traversal and console progress output, but its logic for detecting whether target fields exist is flawed: find_all_fields() records full dotted paths (e.g. 'parent.description') and SKILL.md then uses membership checks against plain field names (e.g. 'description'), which can cause the script to report a field as 'missing' for nested occurrences even though find_fields_by_name() would find them. SKILL.md also states a LibreTranslate fallback and that the script will 'automatically handle' missing requests library; the code does not implement a LibreTranslate fallback and does not auto-install dependencies — only uses MyMemory via requests. The script requires network access to api.mymemory.translated.net, which the documentation explicitly notes.
Install Mechanism
There is no install spec; this is instruction-only with a bundled Python script. No downloads, custom installers, or external binaries are declared. The only runtime dependency is the 'requests' Python library, which the README/SKILL.md mention but the package does not auto-install.
Credentials
The skill requests no environment variables, no credentials, and no config paths. Its network access is limited to public translation API endpoints (MyMemory). No secrets or unrelated services are requested.
Persistence & Privilege
always is false and the skill does not request persistent agent-wide privileges. The script writes only the output JSON file supplied or generated in the same directory; it does not modify other skills or agent configuration.
What to consider before installing
This skill generally does what it says (translate JSON fields) and doesn't request credentials, but it has implementation inconsistencies and bugs you should be aware of before using it on important data:
- The SKILL.md and README advertise a LibreTranslate fallback and automatic handling of missing dependencies; the included script only calls MyMemory via the 'requests' library and doesn't implement the advertised fallback or auto-install. Expect only MyMemory to be used.
- The field-detection logic can incorrectly report target fields as "missing" when those fields exist nested inside objects/arrays, causing the script to abort or skip translations unintentionally. Test the script on representative sample files.
- The script requires outbound network access to https://api.mymemory.translated.net and the 'requests' package; run it in an environment where such network access is acceptable and where you can install Python dependencies safely.
Recommendations: run the script on non-sensitive sample JSON first, verify behavior and outputs, and if you plan to rely on it, request fixes from the author (implement actual fallback to LibreTranslate, or correct the 'existing_fields' check so nested fields are detected correctly). If you need offline or private translations, do not use this public-API-based script.Like a lobster shell, security has layers — review code before you run it.
latestvk97bbs3g5f9xm6ajnxfsjxsrvx83fw39
License
MIT-0
Free to use, modify, and redistribute. No attribution required.