Skillv1.0.0

ClawScan security

Skill for OpenClaw: Converts classical Chinese to vernacular Chinese, supporting multiple e-book formats for full-text conversion. · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 11, 2026, 2:33 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files, runtime instructions, and requested capabilities are internally consistent with a local EPUB/XHTML translation tool; no credentials, network access, or surprising actions are requested, though there are minor metadata/integration inconsistencies to review before installing.
Guidance: This skill appears to do what it claims: local EPUB/XHTML translation with terminology support and no network calls. Before installing: (1) verify the source repository link (package.json/README point to GitHub) if you require an authoritative origin, since the registry entry's source/homepage were 'unknown'/'none'; (2) run it in a sandbox or VM and ensure pip packages (ebooklib, lxml) are installed rather than relying on npm; (3) review the included scripts yourself—there are duplicated files and a packaging script but no obscured or obfuscated code; (4) if you need strict network isolation, run with network disabled to enforce the documented 'no external network calls'; and (5) expect the translator's high '98.5' quality claim to be aspirational—the code contains placeholder logic for deep linguistic transformation, so validate output quality on representative samples before relying on it for production use.

Review Dimensions

Purpose & Capability: okName/description match the code and SKILL.md: a local tool to translate classical Chinese and preserve ebook structure. The code implements EPUB/XHTML processing, terminology handling, and batch modes described in the documentation. Minor metadata mismatches: registry lists no homepage/source but package.json and several READMEs reference a GitHub repo and a homepage; duplicate files appear at both root and a nested classical-chinese-translator/ directory (likely packaging artifact) but this does not change functionality.
Instruction Scope: okSKILL.md instructs local file processing and explicitly states 'No external network calls'. The Python script operates on local files (XHTML/EPUB), reads an optional terminology JSON, validates/parses XML, and writes outputs. It does not read environment variables or call external endpoints. No instructions ask the agent to collect or transmit unrelated system data.
Install Mechanism: noteThere is no OpenClaw install spec (instruction-only in registry) but the package includes build.sh, package.json, and Python scripts — installation is manual/copy-based or via openclaw CLI. No remote downloads or obscure URLs. Minor incoherence: package.json lists 'dependencies' as ebooklib and lxml (Python packages) in an npm-style manifest — this is a harmless but inconsistent packaging convention and means the environment must have the Python packages installed via pip rather than npm.
Credentials: okThe skill requests no environment variables or credentials. The code does not access secrets or unrelated config paths. Optional external tooling (mobi-tools) is documented only for AZW3/MOBI conversion and is proportionate to the stated purpose.
Persistence & Privilege: okThe skill does not request always: true and will not be force-included. It does not modify other skills or global agent settings. Installation is file-copy/tarball based and does not persist unexpected agent-wide privileges.