Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Expanso language-detect
v1.0.0Detect the language of input text using AI with Expanso Edge via CLI or MCP pipelines.
⭐ 0· 808·2 current·2 all-time
byExpanso@aronchick
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The skill's files (pipeline-cli.yaml, pipeline-mcp.yaml, skill.yaml, README) all implement language detection via OpenAI and Expanso; that is coherent with the skill name. However, the registry metadata reported no required binaries or env vars while the SKILL.md and pipelines explicitly require the expanso-edge binary and reference OPENAI_API_KEY. This mismatch is a packaging/documentation inconsistency.
Instruction Scope
Runtime instructions are limited to running Expanso pipelines (CLI or MCP) and deploying to Expanso Cloud. The MCP pipeline runs an HTTP server (0.0.0.0:${PORT:-8080}) exposing POST /detect, which is expected for a service pipeline but important to note because it binds to all interfaces. The pipelines only send provided text to OpenAI for completion and expect a JSON response — they do not attempt to read unrelated files, system state, or other credentials.
Install Mechanism
There is no install spec and no code files (instruction-only), so nothing is downloaded or written to disk beyond the user's invocation of expanso-edge. This is the lowest-risk install pattern.
Credentials
The pipelines require OPENAI_API_KEY (used directly in openai_chat_completion). The top-level registry metadata lists no required env vars and skill.yaml marks OPENAI_API_KEY as optional (required: false). That mismatch could confuse users — in practice you need an OpenAI key to run the pipelines. No other unrelated secrets are requested.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system settings, and is user-invocable. It can run an HTTP server when started (expected for MCP), but otherwise requests no persistent privileges.
Assessment
What to check before installing:
- You must have expanso-edge installed and on PATH; the SKILL.md requires this even though the registry metadata omitted it. Install via the expanso/ClawHub instructions in the README if you plan to run pipelines locally.
- The pipelines use OpenAI (gpt-4o-mini) and require OPENAI_API_KEY; set a key before running. skill.yaml marks the key optional but the pipeline will not work without it — treat this as a packaging/documentation bug.
- The MCP pipeline binds to 0.0.0.0:${PORT:-8080} and exposes POST /detect. If you run the MCP server, ensure you understand the network exposure (firewall, allowed clients) because any text you send will be forwarded to OpenAI for processing.
- The skill sends user text to OpenAI—do not send sensitive or private data unless you are comfortable with that data going to your OpenAI account. Review your OpenAI account/config and rate/usage limits.
- skill.yaml mentions a local Ollama backend (llama3.2) but the provided pipeline YAMLs call only the OpenAI processor; if you need an offline/local option, validate and test that separately.
- The package has no homepage and a single owner id (unknown). That is not an active red flag by itself, but if you have a security policy about provenance, consider verifying the source or testing in a sandbox first.
Overall: the skill appears to do what it claims (language detection) with no hidden data exfiltration in the provided files. The primary issues are documentation/packaging inconsistencies and the usual privacy consideration that text is sent to OpenAI.Like a lobster shell, security has layers — review code before you run it.
latestvk976kh77svzj51kp5dd64sq0e580xrwb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.