Skillv1.0.1

ClawScan security

违规词·发帖前合规检查 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 6, 2026, 5:29 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: Skill mostly does what it claims (local wordlist checks) but the code reads unspecified dotfiles for an API key and can send text to an external API / open a network API — behavior not fully disclosed in SKILL.md and therefore disproportionate.
Guidance: This skill is largely consistent with its stated purpose (local multi-wordlist content checks) and ships many pre-populated wordlists. Before installing or running it, note these points: (1) The check script will try to find DEEPSEEK_API_KEY not only from environment but by reading files such as ~/.env and ~/.openclaw/.env — review those files first because they may contain unrelated secrets. (2) If a DEEPSEEK_API_KEY is available, the tool will send portions of the checked text to https://api.deepseek.com for AI suggestions; only enable that if you trust that service and are comfortable with sending content. (3) The repository includes an HTTP server script (api_server.py) that binds 0.0.0.0 and sets Access-Control-Allow-Origin: * — don't run it on a public network interface unless you intentionally want to expose the endpoint. (4) sync_wordlists.py fetches wordlists from public raw GitHub URLs when run; running it will write files under config/wordlists/. (5) If you prefer stricter behavior, remove or modify the code paths that read home dotfiles and that call external APIs (or ensure DEEPSEEK_API_KEY is not set). Run the tool in an isolated environment (container/VM) or audit/modify the scripts to remove unwanted file reads or network calls before use.

Review Dimensions

Purpose & Capability: noteName/description match the included functionality: multiple bundled wordlists, local checking, optional sync. The presence of sync_wordlists.py (fetching remote wordlists) and api_server.py (HTTP endpoint) is explainable for maintainers and integrators. However, the README/SKILL.md claim the skill only reads user-provided text and its internal wordlists; the implementation also looks for DEEPSEEK_API_KEY in environment and multiple local dotfiles (e.g. ~/.env, ~/.openclaw/.env, email.env) which is not the obvious scope of a pure local checker.
Instruction Scope: concernSKILL.md instructs using scripts/check.py and states it only reads the user-supplied text and bundled wordlists. But check.py includes logic that (a) will attempt to read local env files (~/.env, ~/.openclaw/.env, email.env) to discover DEEPSEEK_API_KEY, and (b) will call an external API (https://api.deepseek.com/v1/chat/completions) when that key is present. api_server.py opens an HTTP server bound to 0.0.0.0 and responds to POST /check with CORS '*' — network behavior is broader than the SKILL.md’s minimal examples. Reading user home dotfiles and exposing an HTTP API are scope expansions the SKILL.md did not clearly disclose.
Install Mechanism: okNo install spec; code is instruction-only with bundled scripts and wordlists. There is no remote install or archive extraction in the package itself. sync_wordlists.py can fetch remote wordlists when explicitly run; those sources are public GitHub raw URLs (expected for wordlist syncing).
Credentials: concernThe package declares no required env vars, but the code will use DEEPSEEK_API_KEY if present — and will proactively search common dotfiles (~/.env, ~/.openclaw/.env, email.env) for that key. Searching arbitrary local env files risks reading unrelated secrets on the host and is not declared as a permission/requirement in SKILL.md. Transmitting text to api.deepseek.com occurs only when a key is found, but that transmission path is not fully highlighted in the runtime instructions (only a brief README note about optional AI suggestions).
Persistence & Privilege: notealways is false and there is no automatic modification of system-wide configs. However, api_server.py can be started to bind to 0.0.0.0 with CORS '*' which could expose the check functionality over the network if a user runs it — a benign feature but one with operational risk if started on an internet-facing host. sync_wordlists.py writes into the package's config/wordlists/ directory only when intentionally executed.