ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Tongyong Shenhe

v1.0.0

通用内容审核 Skill。配置驱动,适用于所有 d.php 后台站点。内置审核规则自动判断 + 可选技术部API增强。其他组只需填写站点账号密码即可使用,审核规则可自行修改适配。

0· 61·1 current·1 all-time
by@wulooongcha

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for wulooongcha/tongyong-shenhe.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Tongyong Shenhe" (wulooongcha/tongyong-shenhe) from ClawHub.
Skill page: https://clawhub.ai/wulooongcha/tongyong-shenhe
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install tongyong-shenhe

ClawHub CLI

Package manager switcher

npx clawhub@latest install tongyong-shenhe
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (generic content-moderation for d.php sites) aligns with the included code (review.py) and rules.json: the script logs into an admin panel, fetches pending items and submits review decisions. However the registry metadata lists no required binaries while the code uses the system curl binary (via subprocess). The need for admin username/password is expected; requiring the TOTP seed (not just a one-time code) is more sensitive but explainable for unattended automation.
!
Instruction Scope
SKILL.md and DEPLOY/USAGE instruct connecting a VPN, providing admin credentials and the TOTP seed, and optionally sending content to a '技术部' moderation API. The docs also explicitly suggest sending rules.json to an external AI (Claude) to edit rules — that directs you to transmit configuration/content externally. The script will POST content it extracts to any api_url you configure, so if you set a third‑party api_url the skill will send item content (potentially sensitive) offsite. These behaviors broaden scope beyond local-only moderation and raise data-leak risk.
Install Mechanism
No install spec (instruction-only plus a Python script) — low install risk. It depends on Python stdlib and optionally requests; DEPLOY asks to pip install requests only if API is used. The code executes curl via subprocess; this is not an installation-time download but runtime use of a system binary. No remote archives or opaque installers are fetched by the skill itself.
!
Credentials
The skill does not request environment variables, but it requires sensitive credentials in a local config file: admin username/password and the TOTP seed. Requiring the TOTP seed (a persistent secret that can recreate 2FA tokens) is high-risk — many teams would avoid giving out seeds and prefer device-bound or short-lived approaches. The optional moderation API requires api_url and api_key; because api_url is arbitrary, a configured external service could receive all moderated content and any metadata added to requests (exfiltration risk). The config.example sets a non-obvious default api_url (https://zyaokkmo.cc) — this should be verified before use.
Persistence & Privilege
The skill is not always-enabled and doesn't request system-wide privileges. It creates a temporary cookie file for sessions and cleans up; it does not modify other skills or global agent configuration. Autonomous invocation is allowed (platform default) but not a new privilege introduced by this skill.
What to consider before installing
Before installing or running this skill, consider the following: 1) The script requires admin credentials and the TOTP seed — giving the seed grants long-term 2FA capability, so avoid supplying it unless you trust the operator; prefer a service account with limited permissions or use manual/interactive TOTP entry. 2) The skill uses system curl and expects a VPN interface (ppp0); the registry metadata did not declare curl — verify your environment and run in an isolated/test account first. 3) The moderation API is optional but accepts an arbitrary api_url and api_key; double-check the URL (the example domain looks unfamiliar). If you configure an external API, you will be sending full item text and metadata offsite — only enable this for trusted internal endpoints. 4) The docs explicitly suggest sending rules.json (and possibly example content) to external AI services (e.g., Claude) — this can leak policy or sample content; avoid sending sensitive examples. 5) Run the tool in --dry-run mode first; audit review.py yourself (search for unexpected network endpoints or hidden behavior), and consider executing it from a network-isolated environment or with network controls to prevent unintended exfiltration. If you want, I can list exact lines in review.py to inspect and suggest safer configuration alternatives (e.g., avoid storing TOTP seed, restrict api_url to internal hostnames).

Like a lobster shell, security has layers — review code before you run it.

latestvk976sd2mnwyw7qmezt78nx8y7x850zxc
61downloads
0stars
1versions
Updated 1w ago
v1.0.0
MIT-0
@wulooongcha
latest
Download

通用内容审核 Skill

概述

配置驱动的通用内容审核技能,适用于公司所有基于 d.php 框架的后台站点。内置通用审核规则(联系方式检测、违禁内容、广告导流等),开箱即用。各组可根据自身站点需求修改 rules.json 适配。

核心特性:

  • 开箱即用:填入账号密码即可运行,内置审核规则覆盖常见违规类型
  • 规则可定制:rules.json 结构清晰,可直接让 AI 帮忙修改适配
  • 可选 API 增强:配置技术部审核 API key 后可获得 AI 模型双重审核
  • 安全机制:dry-run 模式先验证再上线

工作流

VPN 连接(ppp0 接口)
  │
  ├─ TOTP 登录后台
  │
  ├─ 拉取待审列表
  │
  ├─ 逐条审核判断
  │    │
  │    ├─ 第1层:本地规则(rules.json)
  │    │    ├─ 命中 → 自动拒绝 + 原因
  │    │    └─ 未命中 → 进入第2层
  │    │
  │    └─ 第2层:技术部 API(可选,需配置 api_key)
  │         ├─ rejected → 自动拒绝
  │         ├─ flagged → 不提交,留给人工
  │         └─ approved → 通过
  │
  │    如果未配置 API:本地规则通过即自动通过
  │
  └─ 输出统计

内置审核规则

rules.json 预置以下规则(从现有三个站点提取的通用标准):

规则默认启用说明
联系方式检测微信/QQ/TG/手机号/连续数字
网址链接检测URL、域名、网址
广告导流话术"加我"、"私聊"、"扫码"等
未成年人内容"学生妹"、"初中"、"幼女"等
违规服务描述色情服务关键词
诈骗赌博黑产赌博、刷单、彩票等
多地区限制"全国"、"可空降多地"(本地服务站点可启用)
联系方式格式phone 字段格式校验(有 phone 字段的站点启用)
地址详细度地址质量检查(有 address 字段的站点启用)
价格范围价格区间+整百校验(有 price 字段的站点启用)
标题格式标题格式校验(VIP 资源类站点启用)

默认关闭的规则适用于特定业务场景,启用只需在 rules.json 中将 "enabled": false 改为 true

适配原理

公司所有站点后台基于同一套 d.php 框架,接口模式固定:

操作路径风格(默认)查询参数风格
登录/d.php/admin/login/doLogind.php?mod=login&code=dologin
拉取列表/d.php/admin/{模块}/listAjaxd.php?mod={模块}&code=listAjax
提交结果/d.php/admin/{模块}/verifyStatusd.php?mod={模块}&code=verifyStatus

模块清单

文件功能
review.py主审核脚本
rules.json审核规则(可自定义)
config.example.json配置模板
SKILL.md本文档
DEPLOY.md部署指南
USAGE.md使用指南

配置文件

配置项必填说明
site.base_url后台地址
site.module审核模块名
auth.username登录用户名
auth.password登录密码
auth.totp_seedTOTP 密钥
moderation.content_fields送审字段(默认 ["title", "content"]
moderation.api_key技术部 API 密钥(不填则仅用本地规则)

输出示例

[14:30:01] ═══ 通用审核 [茶馆大厅] (LIVE) ═══
[14:30:01] 已加载 6 条审核规则
[14:30:01] 正在登录...
[14:30:02] 登录成功
[14:30:02] 待审总量: 45 条
[14:30:02] ── 第 1 页(45 条)──
[14:30:02]   [1001] PASS
[14:30:02]   [1002] REJECT [contact_keywords]: 含联系方式或疑似导流信息,审核失败
[14:30:02]   [1003] PASS
[14:30:02]   [1004] REJECT [underage_content]: 平台禁止发布未成年人相关信息,审核失败
...
[14:30:15] 完成: 共45条 | 通过32 | 拒绝8 | 待复审0 | 跳过3 | 异常2

Comments

Loading comments...