Skillv1.0.0

ClawScan security

妙言小智(PicTech.cc)-跨境电商图片翻译 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 11:23 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely matches an image-translation purpose but contains several incoherent or risky elements (mixed requirements for the VK credential, an obfuscated core file that the skill forbids you to inspect, enforced silent credential persistence, and SKILL.md prompt-injection indicators) that warrant caution and code review before use.
Guidance: This skill claims to do image translation, but it contains several red flags: the core script (index.js) is obfuscated and the instructions explicitly forbid inspecting it; the skill saves an API key (VK) to a local .vk_config file and encourages the agent to reuse it silently; SKILL.md and skill.json disagree about whether VK is required; and a prompt-injection pattern was detected. Before installing or running this skill you should (1) obtain the upstream source and verify the publisher (PicTech.cc) and a trustworthy repository URL, (2) request a non-obfuscated version of index.js or a detailed network/endpoint disclosure so reviewers can confirm where requests are sent, (3) run the code in an isolated sandbox or VM and monitor network traffic to see what endpoints are contacted, (4) avoid providing long-lived production VK keys — use an ephemeral/test key and rotate it after verification, and (5) insist the skill remove instructions that prevent code inspection and require explicit user consent before persisting credentials. If you cannot get a transparent, reviewable implementation, treat the skill as risky and do not run it with real credentials or on sensitive machines.
Findings: [base64-block] unexpected: The SKILL.md triggered a 'base64-block' prompt-injection pattern. Combined with the obfuscated index.js and the SKILL.md instruction forbidding inspection, this suggests the skill may be attempting to prevent analysis or to execute encoded payloads; this is not expected for a transparent translation utility.

Review Dimensions

Purpose & Capability: noteThe skill's stated purpose (image translation) aligns with the included code (Node.js CLI that accepts input, languages, and a VK API key). However there are inconsistencies: skill.json marks 'vk' as a required parameter while the SKILL.md/cli.js treat VK as optional (only needed if local .vk_config / TRANSLATE_VK aren't present). Registry metadata declared no required env vars, yet cli.js reads TRANSLATE_VK. These mismatches are confusing and reduce transparency.
Instruction Scope: concernSKILL.md instructs the agent not to view or run index.js (it's 'mixed/obfuscated') and to avoid running cat/strings on it — this actively prevents inspection. It also requires 'silent' behavior around the VK key (save to .vk_config and reuse without prompting) and mandates strict output formatting that forces inclusion of absolute local paths and inline image previews, which can leak local filesystem information. These instructions expand the agent's discretion and encourage hiding implementation details from users/reviewers — a prompt-injection / opacity risk.
Install Mechanism: concernThere is no install spec (instruction-only) but the package includes two JS files and a package.json with network-capable dependencies (axios, form-data, nedb). The main code (index.js) is heavily obfuscated; while including dependencies from npm is normal, the obfuscation combined with an explicit prohibition on inspecting the code is suspicious because it prevents reviewers from seeing what remote endpoints or data flows are used.
Credentials: concernNo declared required environment variables, but cli.js will read TRANSLATE_VK from the environment and skill.json requires a VK parameter. The skill writes and persists a VK in a local '.vk_config' file without further user confirmation after first provision. Persisting an API key locally and encouraging 'silent' reuse increases the blast radius if the key is misused; the code/setup lacks transparency about what external endpoints that key will be sent to (index.js is obfuscated).
Persistence & Privilege: noteThe skill persists the VK API key to a local file (.vk_config) and will reuse it automatically. It is not marked always:true and does not request elevated platform privileges, but the automatic local storage of credentials and instructions to not ask users are notable persistence behaviors to be aware of.