错敏信息检测
v1.0.1通过调用UCAP安全接口,检测文本或网页内容中的多种敏感信息,支持智能静态和动态抓取模式,保障数据合规。
⭐ 0· 114·0 current·0 all-time
by@1227323804·duplicate of @1227323804/ucap-sensitive-check (1.0.1)·canonical: @1227323804/ucap-sensitive-check111
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description claim detecting sensitive info via a UCAP API. The package contains code to fetch URLs, perform SSRF checks, and call an external API (userKey support). Required tooling (requests, dnspython, beautifulsoup) aligns with fetching/parsing/validating web content. No unrelated cloud credentials or unrelated system access are requested.
Instruction Scope
SKILL.md and main.py limit actions to: validating URLs, optionally fetching page content (static or optional browser-based), and calling the UCAP service. The docs explicitly call out SSRF risks and require a whitelist for the dynamic/browser mode; the instructions do not direct the agent to read unrelated files or exfiltrate arbitrary environment data.
Install Mechanism
There is no platform install spec (instruction-only installer), but requirements.txt and SKILL.md instruct pip installing dependencies. Dynamic mode requires external tooling (Node.js, agent-browser, Chrome) invoked via subprocess — this is optional and only necessary to enable browser rendering. This is expected for the described functionality but increases runtime footprint if dynamic mode is enabled.
Credentials
No required environment variables are declared. The code supports an optional UCAP_USERKEY (stored in process env only) to lift rate limits; this matches the described behavior. No unrelated secrets or multiple external service credentials are requested.
Persistence & Privilege
The skill does not request permanent/always-on privileges (always:false) and does not modify other skills or system-wide configs. It writes an optional userKey to the current process env only and documents this behavior. Autonomous invocation is allowed (disable-model-invocation:false) but that is the platform default and not, by itself, a risk here.
Assessment
This skill appears coherent and security-conscious. Before installing: 1) Review where the UCAP API endpoint(s) are called in main.py so you know what external host(s) receive data. 2) Use an isolated Python environment (venv) when pip installing the listed dependencies. 3) Do NOT enable dynamic/browser mode (DISABLE_JAVASCRIPT=False) unless you intentionally install Node/agent-browser/Chrome and you set a strict ALLOWED_DOMAINS whitelist — dynamic mode executes page JS and can create SSRF risks if misconfigured. 4) Treat the UCAP userKey like any API key: provide it only if you trust the UCAP service; the code stores it only in-process but suggests persisting as a system env var for convenience (avoid persisting secrets unless necessary). If you want extra assurance, request the maintainer to publish the UCAP API endpoint and any telemetry behavior in the code for review.Like a lobster shell, security has layers — review code before you run it.
latestvk976xtvvphsxhey92xmw7xj52h84jtp0
License
MIT-0
Free to use, modify, and redistribute. No attribution required.