Back to skill
Skillv1.0.0
ClawScan security
AI Image Translator – Translate Text from Images Instantly with AI – CLI-powered · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 19, 2026, 6:13 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are coherent for an image-text-translation CLI wrapper, but it relies on a third‑party npm CLI (weshop-cli) you must install — verify that package before installing.
- Guidance
- This skill is internally consistent for a CLI-based WeShop image translation wrapper, but it depends on installing the external 'weshop-cli' npm package and using your WESHOP_API_KEY. Before installing or running: 1) Confirm the npm package is the official one (check the linked GitHub repo, maintainer, recent activity, and npm publisher). 2) Prefer installing in a sandbox/container or review the package source if you can. 3) Never paste your API key into prompts or CLI arguments — follow the SKILL.md advice to set WESHOP_API_KEY in your environment. 4) Verify that the API endpoint (openapi.weshop.ai) is legitimate for your account. If you cannot verify the CLI package or the publisher, treat the dependency as a risk and avoid installing it system-wide.
Review Dimensions
- Purpose & Capability
- okThe skill is an instruction-only wrapper for the WeShop 'ai-translate' CLI: the declared primary credential (WESHOP_API_KEY) and the required command ('weshop') match the described purpose of translating text in images. There are no unrelated credentials, binaries, or config paths requested.
- Instruction Scope
- okSKILL.md confines runtime steps to checking/installing the weshop CLI, ensuring WESHOP_API_KEY is present, and running 'weshop ai-translate' with the image and optional prompt. It does not instruct reading unrelated files, accessing other env vars, or sending data to unexpected endpoints beyond the stated openapi.weshop.ai.
- Install Mechanism
- noteThere is no built-in install spec (the skill is instruction-only). The skill explicitly recommends installing an npm package globally (npm install -g weshop-cli). Installing from npm is a normal approach but carries moderate risk because third-party packages are not pre-reviewed by this registry — you should verify the package's authenticity and source (GitHub repo, maintainer) before installing, and consider installing in a constrained environment.
- Credentials
- okOnly a single credential, WESHOP_API_KEY, is required and declared as the primary credential. That is proportionate to a CLI that calls an external image-translation API. The SKILL.md advises not to pass the key on the command line and states the endpoint (openapi.weshop.ai), which aligns with the declared env var.
- Persistence & Privilege
- okThe skill does not request persistent/always-on inclusion (always: false) and does not modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but is not combined with elevated privileges or broad credential access.