ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Subtitle Translator

v0.1.1

Translate SRT subtitle files using LLM APIs with OpenAI-compatible format. Supports both single-language and bilingual output. Use when you need to translate...

0· 591·7 current·7 all-time
by@thetail001
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included scripts: parse/validate SRT files and call an OpenAI-compatible chat/completions endpoint to produce translations. No unrelated binaries, services, or capabilities are requested.
Instruction Scope
SKILL.md instructions correspond to what the scripts do: read an input .srt, validate, batch text to an LLM API, and write an output .srt. The scripts only reference SRT input/output, API URL/key/model, and standard proxy env vars; they do not attempt to read other system credentials or unrelated files.
Install Mechanism
No install spec; this is instruction + script files only. Nothing is downloaded or executed from external URLs during install, so install risk is low.
Credentials
The skill legitimately needs an API endpoint and API key to function (scripts require --api-key / env SUBTITLE_API_KEY). However, the registry metadata declared no required environment variables or primary credential — this is a documentation/metadata omission. The SKILL.md also recommends optionally storing the key in ~/.openclaw/skills/subtitle-translator/config.json (plaintext), which increases risk if the user follows it. The scripts respect http_proxy/https_proxy, meaning a misconfigured or malicious proxy could capture the API key (and SKILL.md appropriately warns about this).
Persistence & Privilege
always is false and the skill does not request system-wide persistence or modify other skills. It suggests writing an optional per-skill config file under the user's home directory (expected and scoped to the skill).
Assessment
This skill appears to do exactly what it says: translate .srt files by sending subtitle text to an OpenAI-compatible API. Before using it, consider: (1) you must supply an API URL and API key — the registry metadata omitted declaring this credential; treat the key like any secret. (2) Prefer environment variables or a secret manager over the suggested plaintext config file (~/.openclaw/skills/.../config.json). (3) The skill sends all subtitle text to whatever API URL you provide — do not use it for sensitive content unless you control the endpoint. (4) Proxies (http_proxy/https_proxy) are honored and can capture keys—ensure you trust your proxy. (5) Review the small Python scripts yourself (they're included) before running. If you want stricter guarantees, ask the author to declare the API key as a required credential in the registry metadata and to remove the plaintext-config recommendation.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c476q4hwa3w8r2k445bcz1h81vhmb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments