Post Content Moderation

This skill is a moderation integration that is explicitly built to call external moderation/model APIs and to callback results to your backend. That is coherent with its purpose, but you should not install or enable it in production until you do the following checks: 1) Confirm whether the package actually includes the demo PHP scripts referenced in the docs (scripts/*). The docs describe code that will send data externally; if those scripts are present, inspect them before running. If they are absent, the docs may be stale. 2) Treat all post text, image/video URLs, whitelist entries and custom rules as potentially exfiltratable. Ensure you have a narrow allowed_hosts list for model, pull, and callback endpoints and never allow arbitrary destinations. 3) Use a dry-run mode (MODERATION_DRY_RUN) and run end-to-end tests before enabling callbacks that write results to production systems. 4) Do not hardcode API keys; inject them via environment variables and confirm which env names your deployed code expects (docs reference XAI_API_KEY and other config keys even though the manifest lists none). 5) If you require real image/video inspection, implement and verify a local preprocessing pipeline (OCR, QR detection, ASR, frame extraction) — the included media inspector is a placeholder according to the docs. 6) Restrict autonomous execution (agent invocation) in sensitive environments or require explicit human review for ambiguous cases; if you plan to allow fully automatic mode, enforce fail-closed policies and timeouts. If you cannot verify the presence and content of the demo scripts, or you cannot enforce strict allowlists and dry-run testing, consider treating this skill as risky and avoid enabling automatic callbacks on production data.