ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Summon Translator Skill

v1.0.0

Translate safety procedures, supplier documents, and Articulate Rise 360 eLearning content into 137+ languages using AI. Built for supply chain teams, HSE pr...

0· 38·0 current·0 all-time
by@nikirun2017-phache
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description match the actions in SKILL.md: uploading local files, creating translation jobs, polling for completion, and downloading translated outputs. The only external requirement (SUMMON_API_KEY) is exactly what an external translation API would need.
Instruction Scope
Instructions are scoped to the translation workflow (curl upload, poll job status, download results). This is expected, but the workflow necessarily uploads local files (potentially sensitive compliance/HSE content) to summontranslator.com — users should be aware the skill transmits full file contents to a third-party service.
Install Mechanism
No install spec or code files are present (instruction-only). No packages or downloads are requested, so there is no installation risk from arbitrary code being written or executed locally.
Credentials
The only declared config requirement is SUMMON_API_KEY (used in the supplied curl examples). No unrelated credentials, binaries, or config paths are requested.
Persistence & Privilege
Skill is user-invocable (not always: true) and does not request persistent system privileges or modify other skills. Autonomous invocation is allowed by platform default but is not combined with other concerning factors here.
Assessment
This skill appears to do exactly what it says: it uploads files to summontranslator.com using a SUMMON_API_KEY to create translation jobs. Before installing or using it, verify the vendor (summontranslator.com), review their privacy/data-retention and billing policies (uploads are billed per word), and confirm whether your organization can send the specific documents (SDS, JSAs, supplier forms) to a third party. Test with non-sensitive files first, keep your SUMMON_API_KEY secret (store it in a secure secrets manager), and consider rotating/revoking the key if you stop using the service. If your organization requires on‑prem or stricter data controls for safety-critical content, request an enterprise/isolated deployment or avoid uploading such files.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c960begkj8vr0v1t1pd61w1844jvp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

ConfigSUMMON_API_KEY

Comments