translate-manual
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears purpose-aligned for translating DOCX manuals, but users should notice that it can send document text to DeepLX, use an API key, and run local app-start commands for screenshot work.
Before installing, confirm you are comfortable sending the manual text to DeepLX or another translation service, provide API keys deliberately, and only let the agent launch trusted local apps or projects when screenshots are needed.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Text from the DOCX manual may be transmitted to DeepLX for translation.
The script sends document text to an external translation endpoint, which is expected for a cloud translation skill but means manual contents leave the local environment.
DEEPL_API_TEMPLATE = "https://api.deeplx.org/{api_key}/translate" ... requests.post(url, json={"text": text, "target_lang": target_lang}, timeout=30)Use this only for documents that may be shared with the chosen translation provider, and review provider/privacy requirements for confidential manuals.
The agent or script can use the provided translation API key to send translation requests.
The skill uses a translation API credential supplied by the user. This is disclosed and purpose-aligned, but credential access should be intentional.
API Key 支持两种方式: 1. 命令行参数传入(优先) 2. 未传入参数时,从环境变量读取 ... `DEEPLX_API_KEY`, `DEEPL_API_KEY`, `TRANSLATOR_API_KEY`
Prefer a scoped or disposable API key, avoid pasting secrets into shared logs, and unset environment variables when no longer needed.
If used for screenshots, the agent may start a local application or development server from the project you provide.
For screenshot capture, the instructions may involve starting a local web/project application. This is relevant to the stated screenshot workflow but runs local project code.
**项目路径**: - 前端: `pnpm dev` - 后端: `pnpm start` 或 `npm run start:dev`
Only allow these commands for trusted projects, confirm the exact command and working directory first, and stop the server when the screenshot task is complete.