Subtitle Translator
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: subtitle-translate-skill Version: 0.1.1 The skill is classified as suspicious primarily due to the `scripts/list_models.py` and `scripts/translate_srt.py` scripts honoring `http_proxy` and `https_proxy` environment variables. While this is a common feature, it introduces a vulnerability where API keys and subtitle content could be intercepted if the agent's environment is configured with an untrusted proxy. However, the `SKILL.md` documentation explicitly warns users about this risk, stating: 'If your environment uses untrusted proxies, API keys could be captured.' This transparency, combined with the absence of other malicious indicators like unauthorized data exfiltration, persistence mechanisms, or prompt injection attempts against the agent, prevents a 'malicious' classification. The core functionality aligns with the stated purpose of subtitle translation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your LLM API key will be used by the script and sent to the API URL you provide.
The script requires an API key and sends it as a Bearer token to the configured API endpoint. This is expected for an LLM translation integration, but it is still sensitive credential handling.
parser.add_argument('--api-key', '-k', required=True, help='API key') ... 'Authorization': f'Bearer {api_key}'Use only trusted HTTPS API endpoints, prefer narrowly scoped or revocable API keys, and avoid storing keys in plaintext files.
Subtitle contents may be visible to the API provider or any configured proxy, which matters if the subtitles contain private or confidential material.
The skill discloses that subtitle text leaves the local environment and is sent to a user-specified external LLM-compatible API.
All subtitle content is sent to the API endpoint. Do not use with sensitive/confidential content unless you control the API
Use this only with subtitle files you are comfortable sending to the selected provider, and verify proxy settings before running it.