Universal Translator

Security checks across malware telemetry and agentic risk

Overview

The skill claims to translate documents with an AI model, but its shown translation function only labels the original text rather than translating it.

Review before installing. This package does not show working translation logic despite claiming broad document translation, so translated outputs may simply contain the original text with a language label. Avoid using it for business, legal, compliance, or confidential documents unless you verify the implementation and your OpenClaw model configuration first.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Description-Behavior Mismatch

High

Confidence: 92% confidence
Finding: The skill claims AI/LLM-based translation, but the implementation only prepends a language tag and returns the original text. This is dangerous because users may disclose sensitive documents under the assumption they are being processed as promised, while downstream workflows may trust falsified output and make incorrect business or compliance decisions.

Intent-Code Divergence

High

Confidence: 95% confidence
Finding: The inline comments assert that translation is performed locally through OpenClaw's LLM, but no model call exists and the function simply echoes tagged input. This deceptive behavior can mislead users about both privacy and processing guarantees, especially when handling confidential documents whose treatment must be accurately represented.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal