ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Excel Translator

Translates Excel files (.xlsx) from English to Chinese while preserving all formatting, images, and charts. Use for any task where a user provides an Excel f...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 290 · 0 current installs · 1 all-time installs
by@ilove323
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description align with the code: it uses openpyxl to modify .xlsx files and an LLM to translate cell text. However, the SKILL.md emphasizes environment variables for credentials but the script also attempts to read credentials from ~/.openai/secret (KEY=VALUE format), which is not documented in SKILL.md. That extra file access is out-of-band relative to the stated environment-only credential approach.
!
Instruction Scope
SKILL.md instructs the agent to run the included script and states credentials come from environment variables, but the script explicitly reads ~/.openai/secret as a fallback. The script will batch cell contents and transmit them to the configured OpenAI API endpoint — this means spreadsheet data (which may be sensitive) is sent to an external service. The hidden file read and the lack of explicit warnings about data exfiltration are scope creep relative to a purely local translation tool.
Install Mechanism
There is no install spec (instruction-only), which minimizes installation risk. However, the script depends on Python packages (openpyxl and an OpenAI client) which are not declared in the registry metadata or SKILL.md as required installs; running it without these installed will fail. No suspicious external download/install behavior is present.
!
Credentials
Requesting an OpenAI API key is proportionate for a cloud-based translation. Concerns: (1) the script reads ~/.openai/secret in addition to environment variables — this may expose other keys stored there; (2) OPENAI_BASE_URL can be pointed at an arbitrary endpoint, which would cause data to be sent to that endpoint if misconfigured; (3) the script does not validate the presence of a valid API key before creating the client. These are reasonable for functionality but require the user to trust the environment and the contents of their home directory.
Persistence & Privilege
The skill is not always-enabled, does not modify other skills, and does not request persistent system privileges. Its only notable privilege is read access to a secrets file in the user's home directory, which is performed at runtime and not persisted.
What to consider before installing
This skill appears to do what it claims (translate Excel files by sending cell text to an LLM), but exercise caution before use: 1) It will transmit spreadsheet contents to the configured OpenAI API endpoint — do NOT run it on sensitive or confidential spreadsheets unless you accept this. 2) The script will attempt to read a secrets file at ~/.openai/secret in addition to environment variables; inspect that file (and its permissions) before installing or running the skill. 3) Verify OPENAI_BASE_URL is set to the official API (https://api.openai.com/v1) — a malicious base URL would exfiltrate data to a third party. 4) Ensure required Python packages (openpyxl and an OpenAI client library) are installed from trusted sources. 5) If you want to avoid remote calls, do not provide an API key and/or run a modified local-only version; otherwise, test on non-sensitive sample files first. If you want higher assurance, ask the publisher to remove the fallback ~/.openai/secret read and to explicitly declare dependencies and credential sources.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk978qxx5q02vvw501p3h8xsbdh81yfkq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Excel Translator Skill

Overview

This skill translates the text content of an Excel file (.xlsx) from English to Chinese using openpyxl. The Chinese translation is placed directly below the original English text in the same cell, separated by a newline — no new rows or columns are inserted. Original formatting (merged cells, fonts, colors, images) is preserved.

Workflow

  1. Identify the input .xlsx file path from the user.
  2. Run scripts/translate.py from the shell.
  3. Deliver the output file to the user as an attachment.

Running the Script

python3.11 /home/ubuntu/skills/excel-translator/scripts/translate.py "/path/to/input.xlsx"

The output file is saved automatically with a _translated suffix in the same directory.

Custom output path:

python3.11 /home/ubuntu/skills/excel-translator/scripts/translate.py "/path/to/input.xlsx" -o "/path/to/output.xlsx"

Environment Variables

The script reads API credentials from environment variables. These are pre-configured in the Manus sandbox:

  • OPENAI_API_KEY — API key for the translation model.
  • OPENAI_BASE_URL — Base URL for the API endpoint (defaults to https://api.openai.com/v1).

Bundled Resources

  • scripts/translate.py — Core translation script. Scans all sheets, translates English text cells concurrently via OpenAI API, writes "English\nChinese" back into the same cell with wrap_text=True, and saves the result.

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…