ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

deepL Translate

v1.0.2

当用户明确要求使用 DeepL 官方 API 时使用,适用于文本翻译、文档翻译、语言与用量查询,以及 glossary v2/v3 管理。仅连接 DeepL 官方 API 域名,使用环境变量中的 DEEPL_API_KEY,不读取其他凭证。

2· 129·0 current·0 all-time
byliaong@liaol99
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The script and documentation match the advertised purpose (DeepL text/document translation, glossaries, usage queries). However, the registry metadata lists no required environment variables or primary credential while SKILL.md (and the script) require DEEPL_API_KEY (and optionally DEEPL_API_BASE_URL). That metadata omission is an incoherence that should be corrected.
Instruction Scope
SKILL.md explicitly limits network access to DeepL official endpoints, only reads local files when the user explicitly supplies --file/--stdin/--entries-file, and claims not to run shells or spawn subprocesses. The included Python script uses urllib.* (no sign in provided excerpts of shelling out). A remaining risk: any file you provide will be sent to DeepL (document or entries), so do not supply sensitive secrets unless you trust the account/endpoint.
Install Mechanism
No install spec (instruction-only with an included Python script). No downloads or archive extraction — lowest install risk. The script claims to rely only on the Python standard library.
!
Credentials
The skill needs at least DEEPL_API_KEY (and optionally DEEPL_API_BASE_URL) according to SKILL.md and the script, but the registry metadata lists no required env vars or primary credential. That mismatch is disproportionate and could hide operational requirements or mislead users about what secrets will be used. The number and nature of env vars requested are otherwise appropriate for a DeepL client.
Persistence & Privilege
The skill does not request always:true and has no documented behavior that persists beyond its own files or modifies other skills. It does not declare elevated system privileges.
What to consider before installing
This skill appears to be a normal DeepL CLI wrapper, but take the following precautions before installing or enabling it: - Verify and set DEEPL_API_KEY yourself; the SKILL.md requires it but the registry metadata does not declare it. Ask the publisher to update metadata so the required env var is explicit. - Review the full scripts/deepl_translate.py (search for any network calls) and confirm it only contacts https://api.deepl.com or https://api-free.deepl.com. A quick grep for 'api.deepl' and 'http' in the code will help. - Do not upload sensitive documents or secrets via --file, --stdin or entries files unless you trust the DeepL account tied to the API key; any content you provide will be sent to DeepL. - Prefer using a limited/rotated DeepL key or a test account when first trying the skill, and monitor usage to detect unexpected requests. - If you need higher assurance, run the script in a sandboxed environment and monitor outbound connections to confirm only the allowed domains are contacted. Confidence is medium because only a truncated portion of the script was provided; reviewing the complete script would raise confidence to high.

Like a lobster shell, security has layers — review code before you run it.

latestvk97evfrhpk4dmaqce48x3aq3xh83jsh3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments