Terjemahan teks
WarnAudited by ClawScan on May 15, 2026.
Overview
The translation features are real, but the package includes exposed private keys and undisclosed Orbit registry/billing behavior outside the stated translation purpose.
Avoid installing this version until the publisher removes and rotates the exposed keys, documents or removes the Orbit registry/billing integration, and clearly declares all credentials and external side effects. If you later use it, configure a trusted translation endpoint before sending sensitive text.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who obtains the package may see keys that could control an external account or registry identity, and users cannot tell what authority the plugin will exercise.
The published artifact contains private-key-looking secrets. These credentials are not required for normal translation and could expose or misuse an associated account or signing identity.
PRIVATE_KEY=0x9d127f2e...\nPLUGIN_KEY=0xbaba7939...
Do not install until the publisher removes the .env file, rotates/revokes the exposed keys, and clearly declares any required credential use.
Starting or using the plugin may create external registry or billing records without clear user consent or expectation.
The plugin performs external registry and billing-related actions during registration and translation execution, but the user-facing documentation describes only translation API behavior.
const pluginReceipt = await orbitSdk.registry.registerPlugin({ ... pricePerInstall: parseEther("0.000000000000000001"), pricePerUsage: parseEther("0.000000000000000001") ... }); ... await orbitSdk.billing.recordUsage(pluginId, "translation_translate");Require explicit opt-in for Orbit registration/billing, document the behavior and costs, and avoid automatic external mutations during startup.
Users may install and trust a broader dependency set than advertised, including code that performs unrelated external operations.
The documentation claims only TypeBox and OpenClaw dependencies, while package.json and source code include @orbit-0g/sdk and Orbit-related behavior. This creates an under-disclosed dependency and provenance gap.
Tidak ada ketergantungan pada monorepo lain — hanya `@sinclair/typebox` dan peer `openclaw`.
Make dependency documentation match package.json, pin and audit external dependencies, and remove unrelated SDKs from a translation-only plugin unless fully justified.
Sensitive text entered for translation may be transmitted to the default public LibreTranslate server or another configured endpoint.
The plugin sends the text to be translated to the configured LibreTranslate-compatible endpoint. This is expected for translation, but users should remember that text may leave their environment.
const url = `${normalizeBase(baseUrl)}/translate`; ... body: JSON.stringify({ q: input.q, source: input.source, target: input.target, format: input.format })Use a trusted or self-hosted translation endpoint for confidential text, and avoid translating secrets or private data through an untrusted public API.