prohibited-word-query(多平台违禁词查询)
PendingVirusTotal audit pending.
Overview
No VirusTotal analysis has been recorded yet. File reputation checks will appear here once the artifact hash has been scanned.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user asks the skill to check a webpage, a network attacker or misconfigured endpoint could alter the fetched page text that the agent analyzes and may later send to the detection API.
The webpage extraction helper explicitly disables hostname and certificate verification for HTTPS connections, so HTTPS URL fetching can accept spoofed or tampered responses.
context.check_hostname = False
context.verify_mode = ssl.CERT_NONE
ssl_sock = context.wrap_socket(sock) # 不传 server_hostname,不发送SNIKeep TLS verification enabled for webpage fetching, pass server_hostname for SNI, and only use a clearly labeled manual fallback for exceptional sites after user confirmation.
Text, file-extracted text, image OCR text, or webpage text submitted for checking may leave the local environment and be processed by the stated third-party service.
The skill discloses that user text is sent to a third-party, non-official detection API for matching; this is purpose-aligned but important for privacy expectations.
会将待检测内容通过 HTTPS POST 发往下列接口... `https://onetotenvip.com/story/cozeSkill/sensitiveWordSearch`... 请求体字段:`content`(待检测文案)、`platform`、`source`
Do not submit confidential material unless you are comfortable with that service processing it; use the documented PROHIBITED_WORD_API_URL override for an approved internal HTTPS endpoint if needed.