ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ifly-translate

v1.0.0

iFlytek Machine Translation (机器翻译) — translate text between Chinese, English, Japanese, Korean, French, Spanish, German, Russian, Arabic, Thai, Vietnamese, a...

0· 156·0 current·0 all-time
byIflytek AIcloud@qingzhe2020
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, SKILL.md, and scripts/translate.py all describe and implement an iFlytek (讯飞) Machine Translation client that posts to itrans.xfyun.cn; the code, usage examples, and required env vars in SKILL.md are coherent with that purpose. However, the registry metadata claims no required environment variables or primary credential, which is inconsistent with the runtime instructions and the script's explicit dependency on three XFYUN credentials.
Instruction Scope
SKILL.md instructs the agent (and user) to set XFYUN_APP_ID, XFYUN_API_KEY, XFYUN_API_SECRET and run a bundled Python script; the script only reads stdin or an input file, the declared env vars, and makes HTTPS requests to itrans.xfyun.cn. The instructions do not direct reading unrelated system files or sending data to unexpected external endpoints.
Install Mechanism
There is no install spec (instruction-only + one bundled script). No third-party packages are downloaded or executed; the Python code uses only stdlib. This is the lower-risk install model.
!
Credentials
The runtime requires three secrets (XFYUN_APP_ID, XFYUN_API_KEY, XFYUN_API_SECRET) which are appropriate for the iFlytek API, but the skill registry metadata does not declare any required env vars or a primary credential — a metadata omission that hides sensitive requirements from automated reviewers/users. Additionally, the repository includes a .claude/settings.local.json entry granting a Bash zip command (targeting a specific user path), which is unrelated to translation and could indicate leftover packaging/permission settings or accidental inclusion of local config.
Persistence & Privilege
The skill does not request persistent presence (always:false), does not modify other skills or global agent settings, and contains no install script altering system configuration. It runs as an on-demand CLI script that performs network calls to the API endpoint.
What to consider before installing
This package appears to be a legitimate iFlytek translation client, but do the following before installing or running it: (1) Confirm the source/trustworthiness — the skill metadata omits the three required XFYUN credentials even though the script needs them; (2) Only provide XFYUN credentials you control and consider using a limited/test key; (3) Inspect or remove the .claude/settings.local.json file (it contains a Bash zip permission pointing to a local user path and is unrelated to translation); (4) Run the script in an isolated environment or container if you are unsure; (5) Verify network access and that requests go only to itrans.xfyun.cn; and (6) If you intend to publish or share this skill, update the registry metadata to declare the required environment variables so automated reviewers and users can see them.

Like a lobster shell, security has layers — review code before you run it.

latestvk97djyjdc0ts7a16s3jdgrj01n836d7h

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments