pdf2zh-next翻译
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: pdf2zh-translator Version: 0.0.3 The skill is a well-structured wrapper for the pdf2zh-next translation utility. It demonstrates strong security practices, including explicit environment isolation in `scripts/run_pdf2zh_pipeline.py` (stripping sensitive environment variables and redirecting HOME/APPDATA to the skill directory) and strict path validation to ensure only the local `config.toml` is accessed. No evidence of data exfiltration, malicious execution, or prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an unexpected or malicious executable with that name is on PATH, the skill could run it during translation.
The wrapper depends on an external pdf2zh executable that is not packaged in the skill; this is central to the stated purpose but makes the trustworthiness of the installed CLI important.
for name in ["pdf2zh_next", "pdf2zh-next", "pdf2zh"]:
path = shutil.which(name)
...
raise RuntimeError("pdf2zh CLI not found. Install pdf2zh-next first, or provide --exe-path.")Install pdf2zh-next from a trusted source and, if possible, provide a known absolute executable path.
If you add API keys, the configured provider account may be used and billed for translations.
The bundled configuration is designed to hold translation-provider credentials, though the included values are placeholders rather than hardcoded secrets.
openai_api_key = "null" ... deepseek_api_key = "null" ... azure_api_key = "null"
Use provider keys with limited scope where available, avoid storing unrelated credentials, and review provider billing/privacy settings.
Private PDF contents could be sent to a selected translation service as part of normal translation.
The configuration enables/selects translation services and includes cloud provider endpoints, so PDF text may be processed by the configured translation provider.
siliconflowfree = true ... aliyun_dashscope_base_url = "https://dashscope.aliyuncs.com/compatible-mode/v1" ... siliconflow_base_url = "https://api.siliconflow.cn/v1"
Confirm which provider is active before use, and avoid sending confidential documents to remote services unless that is acceptable.