ClawHub
Back to skill
v1.0.4

Universal Translator

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:26 AM.

Analysis

This is a coherent document-translation skill, but users should be aware it can process whole folders, send document text to the configured LLM, and relies on unpinned Python packages if set up.

GuidanceThis skill appears safe and purpose-aligned for translating documents. Before installing or using it, verify your LLM provider if documents are confidential, translate only folders you intentionally select, and install the listed Python packages in a controlled environment.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
- 📁 **Batch Translation**: Translate entire folders ... for file_path in Path(folder_path).rglob('*'):

The skill supports recursively processing all supported files in a user-specified folder. This is purpose-aligned for batch translation, but it can involve many files if the chosen folder is broad.

User impactIf given a large or sensitive folder, the agent may process many private documents and create translated outputs for them.
RecommendationUse a dedicated input folder containing only files intended for translation and choose a separate output folder.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
dependencies: "pip install python-docx openpyxl python-pptx pymupdf beautifulsoup4"

The skill documents unpinned PyPI dependencies rather than a locked install specification. These libraries are relevant to document translation, but their exact versions and provenance are not fixed by the artifact.

User impactInstalling dependencies may pull current package versions from PyPI, which can vary over time.
RecommendationInstall dependencies in a virtual environment and consider pinning known-good versions before use.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityMediumConfidenceHighStatusNote
SKILL.md
Translation is performed by OpenClaw's configured LLM... The LLM may run locally or remotely depending on OpenClaw configuration.

The skill discloses that document text is translated by the configured LLM, which means private document contents may enter model context and may leave the local machine if the configured LLM is remote.

User impactSensitive content in documents could be processed by a remote model provider depending on the user's OpenClaw setup.
RecommendationCheck which LLM OpenClaw is configured to use before translating confidential documents, and prefer a trusted/local model for sensitive files.