ClawHub

Chinese Sensitive Words

v1.0.5

Chinese sensitive word detection and content compliance checker (中文敏感词/违禁词检测). Scan text for banned, restricted, and risky words across Xiaohongshu (小红书), Do...

0· 149·0 current·0 all-time
by@cccpan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binaries (curl, jq), the primary credential (SENSITIVE_WORDS_TOKEN), and the included scripts all align with a networked sensitive-word detection tool. The scripts only reference expected items (.env for token/API base, and a local usage file).
Instruction Scope
The SKILL.md and scripts send the user-supplied text to a remote service (default https://www.xdhdancer.top/api8888) for analysis and will include the token as a Bearer header if provided. This is consistent with the stated purpose, but it means user content is transmitted off-device — the README claims the service "will not store or share your text" (a server-side claim you cannot verify locally).
Install Mechanism
No install spec is present (instruction-only plus shell scripts), so nothing is downloaded or installed by the skill bundle itself. This is the lowest-risk install posture.
Credentials
The only credential used is SENSITIVE_WORDS_TOKEN (declared as primaryEnv). However, registry metadata lists "Required env vars: none" which is inconsistent with primaryEnv being set. The scripts also honor an optional SENSITIVE_WORDS_API_BASE (not listed in metadata). These are small metadata mismatches but not themselves excessive: the requested token is proportional to the service's functionality.
Persistence & Privilege
Skill does not request elevated or persistent platform privileges. It writes a small usage file to $HOME/.sensitive-words-usage to track free-call quotas and reads a .env in the parent directory for configuration — both are limited, local persistence. always:true is not set and the skill does not modify other skills or system-wide config.
Assessment
This skill appears to be what it claims, but it transmits the text you check to a remote API by default. Before installing or using it: (1) Decide whether you are comfortable sending sensitive content to the default endpoint (https://www.xdhdancer.top/api8888). (2) Prefer obtaining a token from the listed source only if you trust the operator, and do not paste secrets into .env unless you control the machine. (3) If privacy is required, consider self-hosting and set SENSITIVE_WORDS_API_BASE to your own server, or inspect/host the server code before sending data. (4) Note minor metadata mismatches: the registry says no required env vars even though primaryEnv is SENSITIVE_WORDS_TOKEN and the scripts also accept SENSITIVE_WORDS_API_BASE — this is a documentation inconsistency, not a code-level red flag.

Like a lobster shell, security has layers — review code before you run it.

bilibilivk97ej76z5a3d8hy1pt69tapx9h83435bchinesevk97ej76z5a3d8hy1pt69tapx9h83435bcontent-moderationvk97ej76z5a3d8hy1pt69tapx9h83435bdouyinvk97ej76z5a3d8hy1pt69tapx9h83435blatestvk974scxk0d04pd0pccpz8rzbyh837ewcsensitive-wordsvk97ej76z5a3d8hy1pt69tapx9h83435bstablevk97ej76z5a3d8hy1pt69tapx9h83435bxiaohongshuvk97ej76z5a3d8hy1pt69tapx9h83435b

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis
Binscurl, jq
Primary envSENSITIVE_WORDS_TOKEN

Comments