ClawHub

Image Translator

Security checks across malware telemetry and agentic risk

Overview

This skill is a user-invoked translation helper that sends chosen text, images, or image URLs to disclosed third-party translation APIs.

Install only if you intend to use the Xiangji/Tosoiot translation service. Do not submit confidential text, screenshots, private documents, internal-only URLs, secrets, personal data, or regulated content unless that provider is approved for your use. Prefer revocable service keys, avoid exposing command-line keys in shared logs or shell history, and rotate keys if they may have been exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly instructs users to send local image files and remote image URLs to third-party translation APIs, but it provides no warning about privacy, confidentiality, retention, or consent requirements. This creates a real data-handling risk because users may unknowingly upload sensitive images or text to an external service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script transmits both user-supplied text and the API credential to an external third-party service, but it does not provide any explicit warning, consent prompt, or data-handling notice to the user. This is dangerous because users may unknowingly send sensitive content or secrets off-host, creating confidentiality and compliance risks even though the network behavior is the script's intended function.

External Transmission

Medium
Category
Data Exfiltration
Content
| 功能 | 端点 |
|------|------|
| 文本翻译 | `POST https://api.tosoiot.com/task/v1/text/translate` |
| 图片翻译(文件) | `POST https://api2.tosoiot.com/` |
| 图片翻译(URL 批量) | `POST https://api.tosoiot.com/` |
Confidence
82% confidence
Finding
https://api.tosoiot.com/

External Transmission

Medium
Category
Data Exfiltration
Content
|------|------|
| 文本翻译 | `POST https://api.tosoiot.com/task/v1/text/translate` |
| 图片翻译(文件) | `POST https://api2.tosoiot.com/` |
| 图片翻译(URL 批量) | `POST https://api.tosoiot.com/` |

---
Confidence
84% confidence
Finding
https://api.tosoiot.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal