by 安全扫描
OpenClaw
可疑
medium confidence该技能基本实现了宣称的图像/文本翻译功能,但存在一些不一致性(域名不匹配、未声明的凭证处理)并会将您的图像/文本传输到外部服务器——安装前请审查。
评估建议
该技能将上传您提供的文本和图像数据到外部端点(api.tosoiot.com / api2.tosoiot.com)进行翻译——如果包含敏感图像或机密文本,请确保您信任该服务。注意,SKILL.md 中的文档引用 xiangjifanyi.com,而脚本使用 tos oiot.com 域;请验证哪个域是权威的(检查 TLS 证书、服务文档或联系供应商)。脚本通过 CLI 参数接受必需的密钥(而非环境变量)——确保保持这些密钥的机密性,并在发送大量数据前确认服务的隐私/计费政策。如果您想要更强的保证,建议使用您信任的官方供应商 SDK/API 端点(例如 Google/DeepL)或运行本地 OCR/翻译管道。...详细分析 ▾
ℹ 用途与能力
The scripts implement text and image translation as described (text POST to a translation API; image upload or URL-batch endpoints). However, SKILL.md advertises xiangjifanyi.com and openapi-doc.xiangjifanyi.com while the actual API endpoints used in code are api.tosoiot.com and api2.tosoiot.com — domain mismatch that could indicate outdated docs, a proxy service, or mislabeling. The skill does not request unrelated capabilities (no AWS, etc.).
ℹ 指令范围
Runtime instructions direct running the included Python scripts which: (a) POST text to https://api.tosoiot.com/task/v1/text/translate, and (b) upload local image files (via curl subprocess) to https://api2.tosoiot.com or POST URL batches to https://api.tosoiot.com. These actions will send entire image contents and text to external servers (expected for translation but privacy-sensitive). The scripts do not read arbitrary system config files or other environment variables.
✓ 安装机制
No install spec is provided (instruction-only with included scripts). No downloads or archive extractions occur at install time; the files are plain Python scripts and a language reference file — low install risk.
ℹ 凭证需求
The skill does not declare required environment variables in the registry metadata, but SKILL.md and the scripts require API keys (TextTransKey, ImgTransKey, UserKey) as CLI arguments. Requiring service API keys is proportional, but the registry metadata not declaring them is an inconsistency and reduces transparency. No unrelated secrets are requested.
✓ 持久化与权限
The skill does not request always: true and does not attempt to modify other skills or system-wide config. It runs only when invoked.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/4
["完全重构技能,定位为‘象寄翻译服务’,支持文本与图片翻译,覆盖多种翻译引擎和语言。","新增详细 API 密钥说明与签名机制,明确前置条件和使用安全指引。","增加图片翻译、批量处理、指定质量与多引擎用法说明。","支持本地文件、URL 批量图片翻译及参数详解。","丰富常用语言代码表及错误码说明,便于查阅。","删除原有图片优化、格式指南等内容,专注翻译服务领域。"]
● 可疑
安装命令 点击复制
官方npx clawhub@latest install image-translator
镜像加速npx clawhub@latest install image-translator --registry https://cn.clawhub-mirror.com
技能文档
简介
[原始 SKILL.md 中的中文翻译内容,保留代码块、命令行指令和 Markdown 格式,不在此处重复原始英文内容]使用指南
[详细的使用指南,翻译自原始文档]API 密钥说明
[新增的详细 API 密钥说明与安全指引的翻译]数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制