ClawHub

ifly-translate

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward iFlytek translation skill, with disclosed external API use and one leftover local Claude packaging permission that users should remove or ignore.

Install only if you are comfortable sending translated text to iFlytek and using an iFlytek API key from your environment. Avoid feeding it secrets, private files, regulated data, or confidential business text, and remove or ignore the bundled .claude local settings file because it is only a packaging command and is not needed for translation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The local Claude settings explicitly allow execution of a Bash command to create a zip archive on the host filesystem, which is unrelated to the runtime behavior of a translation skill. Granting shell access, even to a single command, expands the agent's capabilities beyond translation and can be abused for unauthorized file packaging or data collection from local directories if the permission is invoked inappropriately.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script sends user-supplied text and authentication material to a third-party translation API, but it does so without any explicit user-facing disclosure at the point of execution. In an agent/skill context, this can cause users to unknowingly exfiltrate sensitive prompts, documents, or secrets to an external service, which is a real privacy and data-handling risk even though the transport itself is HTTPS.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal