ClawHub

Cuihua i18n Helper

Security checks across malware telemetry and agentic risk

Overview

This is a coherent i18n helper that scans source files and writes locale JSON files, with user-directed translation features that may involve external providers.

Use it on a branch or after committing current work, review generated locale diffs, and avoid translating secrets, customer data, unreleased copy, or sensitive internal strings through third-party providers unless that data sharing is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README states that locale files such as `locales/zh.json` and `locales/ja.json` are auto-created, but it does not clearly warn users that running the tool will write new files into the project workspace. In an agent-driven context, this can lead to unexpected repository modifications, polluted working trees, or accidental overwrites if users assume the command is read-only.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Listing third-party translation providers without a privacy notice can mislead users into sending source strings, UI text, or embedded sensitive content to external services without informed consent. In a codebase assistant context, extracted strings may contain internal product names, unreleased features, or secrets accidentally hardcoded in source, increasing confidentiality risk.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The skill encourages broad natural-language commands like extracting strings from `src/` or translating the project without clear scoping, confirmation, or path restrictions. In an agent context, vague prompts can trigger overly broad codebase scanning and bulk modification of files, increasing the chance of unintended edits or processing of sensitive content.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill promotes batch translation via third-party providers but does not clearly warn, up front, that project strings may be sent to external services. In real repositories, UI strings, templates, and embedded literals can contain confidential business terms, internal URLs, feature flags, or personal data, so silent external transmission creates a genuine data-leak risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The tool writes locale files to disk and always overwrites the source-language file without confirmation, backup, dry-run mode, or path safety checks. In a developer tool that recursively scans code and emits files, this can cause unintended data loss or clobber existing translation work, especially when run in automation or from an unexpected working directory.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal