ClawHub
Back to skill

Security audit

File Translate

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it translates user-selected text, images, and documents by sending them to 360's translation API, with the main risk clearly disclosed.

Install only if you are comfortable sending the text, images, or documents you translate to 360's API. Avoid confidential or regulated files unless that transfer is acceptable, use a dedicated API key when possible, and download results instead of relying on temporary public-style result URLs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The image translation path reads a local file and base64-encodes it for submission to a third-party API, but the script itself provides no runtime user-facing consent or warning before transmitting the image contents off host. In this skill context, external transfer is the core feature, but silently uploading local files can still cause unintended disclosure of sensitive data if invoked on private images.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The document translation flow uploads full local documents to an external service for processing, yet the code does not display an explicit warning or obtain confirmation at the point of upload. Because documents often contain confidential business or personal data, this creates a real data-exposure risk when users or calling agents invoke the skill without appreciating that the file is transmitted to api.360.cn.

External Transmission

Medium
Category
Data Exfiltration
Content
### Step 1: Upload

**POST** `https://api.360.cn/v1/documents/translate/upload?target_lang=<code>`

- Content-Type: `multipart/form-data`
- Body: `file` field with the document
Confidence
79% confidence
Finding
https://api.360.cn/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal