ClawHub
Back to skill
v1.0.0

Openclaw Zh

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:30 AM.

Analysis

This skill appears to do what it claims—translate OpenClaw UI files—but it works by directly modifying the local OpenClaw installation, so users should run it intentionally.

GuidanceInstall or run this only if you want your local OpenClaw UI files translated in place. Prefer running the dry-run mode first, verify the target path under /usr/lib/node_modules/openclaw, and keep the backup so you can restore the original UI if needed.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
scripts/apply_translation.py
OPENCLAW_ROOT = Path("/usr/lib/node_modules/openclaw") ... with open(js_file, 'w', encoding='utf-8') as f: f.write(content)

The helper script directly edits the installed OpenClaw Control UI JavaScript bundle. This matches the translation purpose and includes backup/restore logic, but users should understand it mutates the local installation.

User impactRunning the script changes OpenClaw’s installed web UI files and may affect all future UI sessions until restored or overwritten.
RecommendationUse --dry-run first, confirm the target path is the OpenClaw installation you intend to modify, and keep the generated backup before applying changes.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
SKILL.md
python3 ~/.openclaw/workspace/skills/openclaw-zh/scripts/apply_translation.py

The skill is described as instruction-only with no required binaries declared, but its main workflow depends on running a bundled Python script. This is purpose-aligned, but the local tool requirement is under-declared.

User impactThe skill will not function unless python3 is available, and the user or agent may run local code from the skill directory.
RecommendationReview the included Python script before running it and ensure python3 is available from a trusted local installation.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
SKILL.md
`translations/chrome-extension-zh.json` - Chrome 扩展中文翻译映射

The SKILL.md references a Chrome extension JSON translation file, while the manifest provides translations/chrome-extension-zh.html. This is a packaging/documentation inconsistency rather than evidence of malicious behavior.

User impactThe Chrome extension translation workflow may be confusing or require manual verification of the intended file.
RecommendationConfirm which Chrome extension file should be edited or copied before making changes.