Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
translate-manual
v1.0.0将docx说明书翻译成指定语言,并重新截取应用界面截图替换文档中的原图。触发场景:(1) 用户发送docx文档要求翻译,(2) 需要重新截取软件界面截图,(3) 包含截图替换的文档本地化工作
⭐ 0· 209·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims docx translation and replacing UI screenshots. The included Python modules implement docx reading/translation and image extraction/replacement placeholders, which align with translation. However the SKILL.md and README describe automatic screenshot capture and app startup (pnpm dev, launching EXEs, web navigation) — there is no code that actually captures screenshots, drives browsers, or launches applications. Also the runtime requires an external translation API key (DeepLX) but the registry metadata declared no required env vars/credentials.
Instruction Scope
SKILL.md instructs the agent/operator to start apps, visit URLs, locate language toggles and re-capture UI screenshots. The code only extracts existing images from docx and has a placeholder for image replacement; it does not automate screenshot capture or remote UI interaction. The mismatch gives the agent or a human broad discretion to run commands or open apps outside the skill's code, which is outside what the packaged code actually does.
Install Mechanism
This is an instruction-and-script-only skill with no install spec. Nothing is downloaded or written by an install step, which minimizes installer-level risk.
Credentials
Registry metadata lists no required env vars, but the translator code requires an API key at runtime and checks several environment variable names (DEEPLX_API_KEY, DEEPL_API_KEY, TRANSLATOR_API_KEY). The translator will exit if no API key is provided. The code also sends document text to an external endpoint (https://api.deeplx.org/{api_key}/translate), which may expose sensitive document content to a third party. Those environment/credential needs should have been declared and justified in metadata.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and has no install hooks. It does not request elevated or persistent system presence in the manifest.
What to consider before installing
This skill is plausible for translating docx files, but you should not install/run it without verifying a few things: (1) The metadata should declare that an API key is required — currently it does not, yet the script requires one. Confirm which environment variable or parameter you'll use and whether that's acceptable. (2) The code sends text to https://api.deeplx.org; verify that this is a legitimate and trusted translation endpoint (it's different from official DeepL endpoints) because your document text (possibly sensitive) will be transmitted. (3) The README/SKILL.md mention automatic screenshot capture and launching apps, but the repository contains no automation for that — if you need automatic UI screenshots, expect to provide additional tooling or permit the agent/operator to run local commands, which increases risk. (4) Consider running the scripts in a sandbox with test documents first, and audit network traffic (or replace the external API with an internal/trusted translator) if document confidentiality matters. (5) Ask the publisher to correct metadata to list required env vars and to either provide screenshot automation code or remove the claims. If you cannot verify the endpoint or metadata, treat this skill as untrusted and do not provide sensitive documents or API keys.Like a lobster shell, security has layers — review code before you run it.
latestvk974b0r67ec6jpvgf942388sh182rqqe
License
MIT-0
Free to use, modify, and redistribute. No attribution required.