Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ollang SKILLS
v1.0.3Master skill for the Ollang translation platform. Routes to the right Ollang sub-skill based on intent — upload files, create orders, check status, manage re...
⭐ 0· 68·0 current·0 all-time
byM. Aziz Ulak@mazizulak
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description and all sub-skill SKILL.md files consistently implement an Ollang translation integration (upload, create orders, QC, revisions, projects, folders). The requested HTTP endpoints and parameters align with that purpose. However, the registry metadata lists no required environment variables or primary credential, while every SKILL.md repeatedly states it reads OLLANG_API_KEY — that inconsistency is unexpected and should be justified.
Instruction Scope
Instructions are narrowly scoped to calling Ollang API endpoints and returning results (curl examples, expected request fields, and behavior flows). They do instruct the agent to read the OLLANG_API_KEY environment variable and to 'save' projectId/orderId for later steps; 'save' is vague about where state is stored. No instructions ask to read unrelated system files or other environment variables. The main concern: the runtime behaviour depends on an env var that the skill metadata does not declare.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — low risk from installation. There are no downloads, packages, or binaries required.
Credentials
Every sub-skill requires an API key (X-Api-Key) read from OLLANG_API_KEY, but the skill's declared requirements list zero env vars and no primary credential. Requiring a single service API key is reasonable for this purpose, but the metadata omission is an incoherence and raises a risk: the platform and user will not be warned that a secret is needed, and automated permission gating may not be applied. No other unrelated secrets are requested.
Persistence & Privilege
The skill is not always-enabled, is user-invocable, and contains no install-time persistence or cross-skill configuration changes. It does mention saving projectId/orderId for later steps, which is normal for a multi-step API integration, but the mechanism/location for that state is unspecified.
What to consider before installing
This collection appears to be a legitimate Ollang API integration (upload, orders, QC, revisions). However: 1) The SKILL.md files all require an OLLANG_API_KEY but the skill metadata lists no required environment variable — ask the publisher to set primaryEnv/requires.env to OLLANG_API_KEY so the platform can surface and protect that secret. 2) Verify the skill source (the registry shows unknown source/homepage). Only set OLLANG_API_KEY if you trust the skill's origin and the domains listed (api-integration.ollang.com and lab.ollang.com). 3) Be cautious with callbackUrl/webhook options: if you supply a callback URL, the service will POST results there — don’t point it to an endpoint you don’t control. 4) If you need stronger assurance, request the publisher provide a homepage or source repository and update the skill metadata to declare the required credential. If you cannot verify the author, avoid installing or supply an API key with minimal privileges or a throwaway account.Like a lobster shell, security has layers — review code before you run it.
latestvk9709d73q6pwhqxpnczwhxy69d84f5z1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.