gzh-prohibited-word(公众号违禁词检测)
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its stated purpose, but its checker deliberately disables HTTPS identity checks, which could expose submitted drafts or files to an unverified API connection.
Review and trust the configured API host before use, and avoid submitting confidential drafts or files until TLS verification is fixed. If installing, use trusted package sources for the Python dependencies and Playwright browser.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Drafts, uploaded-file text, or webpage text submitted for checking could be exposed to or modified by an active network attacker or a misconfigured endpoint.
The script intentionally disables normal HTTPS endpoint verification and SNI while the skill sends user content to a configured detection API. That makes the API identity unverifiable and increases interception or tampering risk.
通过 Host 头指定目标站点,绕过 CDN/ICP 基于 SNI 的拦截。 ... context.check_hostname = False ... context.verify_mode = ssl.CERT_NONE ... ssl_sock = context.wrap_socket(sock)
Re-enable standard TLS verification with server_hostname/SNI, ensure the configured host matches a valid certificate, and clearly disclose the trusted API provider and data handling.
Using the skill may install and run third-party packages and a browser component in the local environment.
The skill requires third-party Python packages and a Playwright browser install. This is aligned with file and webpage extraction, but it expands the local supply-chain surface.
dependency:\n python:\n - python-docx==1.1.0\n - beautifulsoup4==4.12.3\n - playwright==1.58.0\n system:\n - playwright install chromium
Install dependencies from trusted package indexes, keep versions pinned, and prefer a registry install spec that makes these setup requirements explicit.