Back to skill
Skillv1.0.0
ClawScan security
AI Image Translator – Translate Text from Images Instantly with AI – API-powered · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 14, 2026, 2:36 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are consistent with an image-text-translation integration for the WeShop OpenAPI and request only the single, expected API key.
- Guidance
- This skill appears internally consistent, but before installing: (1) confirm you trust WeShop (openapi.weshop.ai) and have reviewed its privacy and data-retention policies because images (possibly containing sensitive content) will be uploaded to their service; (2) keep your WESHOP_API_KEY secret and only set it as an environment variable — do not paste it in chat; (3) consider creating a limited-scope or disposable API key if available and rotate it regularly; and (4) monitor any agent activity that uploads local files to ensure only expected images are transmitted.
Review Dimensions
- Purpose & Capability
- okName and description match the declared requirement (WESHOP_API_KEY) and the documented endpoints for openapi.weshop.ai. No unrelated credentials or binaries are requested.
- Instruction Scope
- okSKILL.md gives specific endpoints and polling behavior and instructs the agent to only use openapi.weshop.ai and to check WESHOP_API_KEY before asking the user. It does not instruct the agent to read unrelated files, other env vars, or exfiltrate data to other domains. Note: the skill implies uploading local images to the service, so image data will be transmitted to WeShop when used.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — nothing is written to disk by an installer. This is the lowest-risk install posture.
- Credentials
- okOnly one environment variable (WESHOP_API_KEY) is required and it is the logical credential for this API. The SKILL.md explicitly warns to only send the key to openapi.weshop.ai.
- Persistence & Privilege
- okalways is false and the skill does not request persistent or cross-skill configuration. Model invocation is allowed (platform default) — this is expected and not problematic given the narrow credential scope.