Compliance Checker Light

This package appears to implement the stated document-compliance features, but there are mismatches between the repository metadata, changelog, SKILL.md, and actual code. Before installing or providing secrets: - Treat the LLM/Vision keys as sensitive: the tool will send image/text to external services (e.g., DashScope/Qwen-VL or other OpenAI-compatible endpoints) during visual and semantic checks. - The SKILL.md says configuration should use OpenClaw SecretRef, but the code still reads environment variables (os.getenv) in several places (health checks, fallbacks). If you expect strict SecretRef-only behavior, review/patch code or run in an environment where you control env variables. - 'exec' SecretRef providers are supported — that means secret retrieval could run external commands; only enable that if you trust the skill and the secret provider. - If you must process highly sensitive documents, prefer local OCR (OCR_BACKEND=paddle) and avoid enabling cloud OCR/vision keys; test in an isolated environment (no network) first. - Ask the skill author (or vendor) to fix the metadata inconsistency (registry metadata should list required credentials) and to remove/clarify any remaining os.getenv fallbacks if SecretRef-only configuration is intended. If you are not comfortable providing API keys or cannot run it in an isolated/trusted environment, do not install or run it with cloud/vision keys enabled.