Back to skill
Skillv1.0.0
ClawScan security
Image Translator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 4, 2026, 9:44 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill appears to implement the advertised image/text translation but has a few inconsistencies (mismatched domains and undeclared credential handling) and will transmit your images/text to external servers — review before installing.
- Guidance
- This skill will upload the text and image data you provide to external endpoints (api.tosoiot.com / api2.tosoiot.com) for translation — do not use it with sensitive images or confidential text unless you trust that service. Note the documentation in SKILL.md references xiangjifanyi.com while the scripts use tos oiot.com domains; verify which domain is authoritative (check TLS certs, service docs, or contact vendor). The scripts accept required keys as CLI arguments (not environment variables) — ensure you keep those keys secret and confirm the service's privacy/billing policies before sending lots of data. If you want stronger guarantees, prefer using the official vendor SDK/API endpoints you trust (e.g., Google/DeepL) or run local OCR/translation pipelines.
Review Dimensions
- Purpose & Capability
- noteThe scripts implement text and image translation as described (text POST to a translation API; image upload or URL-batch endpoints). However, SKILL.md advertises xiangjifanyi.com and openapi-doc.xiangjifanyi.com while the actual API endpoints used in code are api.tosoiot.com and api2.tosoiot.com — domain mismatch that could indicate outdated docs, a proxy service, or mislabeling. The skill does not request unrelated capabilities (no AWS, etc.).
- Instruction Scope
- noteRuntime instructions direct running the included Python scripts which: (a) POST text to https://api.tosoiot.com/task/v1/text/translate, and (b) upload local image files (via curl subprocess) to https://api2.tosoiot.com or POST URL batches to https://api.tosoiot.com. These actions will send entire image contents and text to external servers (expected for translation but privacy-sensitive). The scripts do not read arbitrary system config files or other environment variables.
- Install Mechanism
- okNo install spec is provided (instruction-only with included scripts). No downloads or archive extractions occur at install time; the files are plain Python scripts and a language reference file — low install risk.
- Credentials
- noteThe skill does not declare required environment variables in the registry metadata, but SKILL.md and the scripts require API keys (TextTransKey, ImgTransKey, UserKey) as CLI arguments. Requiring service API keys is proportional, but the registry metadata not declaring them is an inconsistency and reduces transparency. No unrelated secrets are requested.
- Persistence & Privilege
- okThe skill does not request always: true and does not attempt to modify other skills or system-wide config. It runs only when invoked.