← Back to Skills Marketplace
Xtranslate
by
GuoTao1980
· GitHub ↗
· v3.2.0
· MIT-0
265
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install xtranslate
Description
Intelligently translate PDF, Word, Excel, PPT, TXT, and RTF files with format preservation, layout optimization, and multi-engine support including batch pro...
Usage Guidance
Summary and recommended next steps before installing or running Xtranslate:
1) Environment variables and API keys: SKILL.md and the code expect multiple cloud API keys (DeepSeek, OpenAI, Anthropic, SiliconFlow, and a custom key), but the registry metadata did not declare them — assume these keys will be used if you select a cloud engine. Only provide keys you trust and you are willing to allow the code to call external model APIs.
2) Stored 'encryption' is not secure: API keys saved via the GUI use a built-in CryptoUtils with a hard-coded password and salt. Anyone with access to the code can decrypt those stored keys. Do not rely on this for secure secret storage; prefer environment variables or a secure credential store under your control.
3) Network/endpoint review: The skill is designed to contact third-party model endpoints. If you plan to use cloud engines, review translator.py (not fully shown in the SKILL.md) to confirm which URLs are used and whether requests include full document content. If privacy is important, use the 'ollama' (local) or 'python' offline engine and test behavior in an isolated environment first.
4) File I/O and persistence: The tool will read input files, may recurse directories for batch jobs, and will write translation_monitor.json, summary files, and output documents. Run it in a safe directory and inspect files it writes. Clean up logs/monitor files if they contain sensitive paths or metadata.
5) Code quality and runtime behavior: Some GUI code appears truncated in the provided bundle (syntax/logic issues visible in truncated snippets), so you should run the code in a controlled environment and/or manually inspect translator.py and gui.py before use to ensure there are no crashes or unintended behaviors.
6) Recommended precautions: (a) test with the local/offline engine first, (b) run in a sandbox/VM if you will supply production API keys or sensitive documents, (c) inspect network connections (e.g., via a proxy) to confirm which data is sent externally, and (d) consider replacing the hard-coded crypto mechanism with a secure credential store if you will use this long-term.
If you want, I can: (1) list the exact places in the code that read environment variables and where they are used, (2) search translator.py/network calls for remote endpoints and payload shapes, or (3) point out specific lines implementing the key storage/decryption so you can evaluate risk further.
Capability Analysis
Type: OpenClaw Skill
Name: xtranslate
Version: 3.2.0
The skill bundle provides a document translation tool with broad file system and network access. While the functionality aligns with its stated purpose, it contains a significant security vulnerability in `src/crypto_utils.py`, which uses a hardcoded password ('Xtranslate_Secret_Key') and salt for Fernet encryption of sensitive API keys. Additionally, the 'Smart Monitoring System' implemented in `translation_monitor.py` logs detailed metadata, including full local file paths, to a persistent JSON file (`translation_monitor.json`), which could lead to local information disclosure of sensitive file names and processing history.
Capability Assessment
Purpose & Capability
The skill claims to be a document translator (cloud/local/built-in), and the code and SKILL.md show support for cloud providers (DeepSeek, OpenAI, Anthropic, SiliconFlow). However the registry metadata declared no required environment variables while both SKILL.md and config_loader.py expect multiple cloud API keys (DEEPSEEK_API_KEY, OPENAI_API_KEY, ANTHROPIC_API_KEY, SILICONFLOW_API_KEY, CUSTOM_API_KEY). That mismatch (no declared env vars but code requiring them) is incoherent and should be clarified.
Instruction Scope
The SKILL.md instructs the agent to run the included Python entrypoint (src/main.py) for translating files and batch folders — that is consistent with the stated purpose. The runtime instructions and code will read and write local files (input files, translation outputs, translation_monitor.json, summary files, output directories) and may traverse directories when given a folder. The instructions do not direct the agent to read unrelated OS secrets or shell history, but the skill will create/modify files in the working directory and uses targets.txt/output_path.txt if present.
Install Mechanism
There is no install spec (instruction-only skill) but the bundle includes Python source and a requirements.txt listing many third-party packages (openai, cryptography, ollama, pdf2docx, python-docx, etc.). No external binary downloads or obscure URLs are used in the manifest, which lowers supply-chain risk, but installing the listed Python packages will pull code from public registries.
Credentials
The SKILL.md and config files expect multiple cloud API keys matching the supported cloud engines — that is proportional to supporting cloud translation. However: (1) the registry metadata does not declare these required env vars (incoherence), (2) API keys are stored via src/crypto_utils.py using a hard-coded password/salt ('Xtranslate_Secret_Key' and fixed salt), which provides only obfuscation and is reversible by anyone with the code; and (3) the code will read env vars directly (config_loader.py) without explicit permission prompts. These factors increase privacy risk for sensitive API keys.
Persistence & Privilege
The skill does not request always:true and does not appear to modify other skills or system-wide agent settings. It will create and write local files (translation outputs, translation_monitor.json, summary text files) in the user's workspace. Autonomous invocation is allowed by default (not flagged on its own) — note that allowing the agent to run this skill plus supplying API keys increases the blast radius for any misuse of those keys.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install xtranslate - After installation, invoke the skill by name or use
/xtranslate - Provide required inputs per the skill's parameter spec and get structured output
Version History
v3.2.0
xtranslate 3.2 introduces a comprehensive, intelligent translation tool for multi-format documents.
- Added support for translating PDF, Word, Excel, PPT, TXT, and RTF files, with original formatting preserved and automatic layout optimization.
- Integrated multiple translation engines: cloud (DeepSeek, GPT-4o, Claude, etc.), Ollama local, and a built-in Python library for flexibility and security.
- Introduced batch folder translation, smart monitoring, and performance optimization (including concurrent processing and special handling for large documents).
- Implemented keyword extraction to improve translation accuracy of professional terms.
- Enhanced output structure to generate translated documents in multiple formats with automatic cleanup and encrypted API key storage.
Metadata
Frequently Asked Questions
What is Xtranslate?
Intelligently translate PDF, Word, Excel, PPT, TXT, and RTF files with format preservation, layout optimization, and multi-engine support including batch pro... It is an AI Agent Skill for Claude Code / OpenClaw, with 265 downloads so far.
How do I install Xtranslate?
Run "/install xtranslate" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Xtranslate free?
Yes, Xtranslate is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Xtranslate support?
Xtranslate is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Xtranslate?
It is built and maintained by GuoTao1980 (@guotao1980); the current version is v3.2.0.
More Skills