← Back to Skills Marketplace
wulooongcha

Tongyong Shenhe

by wulooongcha · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
64
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install tongyong-shenhe
Description
通用内容审核 Skill。配置驱动,适用于所有 d.php 后台站点。内置审核规则自动判断 + 可选技术部API增强。其他组只需填写站点账号密码即可使用,审核规则可自行修改适配。
Usage Guidance
Before installing or running this skill, consider the following: 1) The script requires admin credentials and the TOTP seed — giving the seed grants long-term 2FA capability, so avoid supplying it unless you trust the operator; prefer a service account with limited permissions or use manual/interactive TOTP entry. 2) The skill uses system curl and expects a VPN interface (ppp0); the registry metadata did not declare curl — verify your environment and run in an isolated/test account first. 3) The moderation API is optional but accepts an arbitrary api_url and api_key; double-check the URL (the example domain looks unfamiliar). If you configure an external API, you will be sending full item text and metadata offsite — only enable this for trusted internal endpoints. 4) The docs explicitly suggest sending rules.json (and possibly example content) to external AI services (e.g., Claude) — this can leak policy or sample content; avoid sending sensitive examples. 5) Run the tool in --dry-run mode first; audit review.py yourself (search for unexpected network endpoints or hidden behavior), and consider executing it from a network-isolated environment or with network controls to prevent unintended exfiltration. If you want, I can list exact lines in review.py to inspect and suggest safer configuration alternatives (e.g., avoid storing TOTP seed, restrict api_url to internal hostnames).
Capability Analysis
Type: OpenClaw Skill Name: tongyong-shenhe Version: 1.0.0 The skill is designed to automate content moderation on 'd.php' framework sites but exhibits several high-risk behaviors. It requires sensitive administrative credentials, including a TOTP seed (Base32 secret), and uses subprocess to execute system 'curl' commands for network requests. Most notably, it optionally exfiltrates content to an external API hosted on a suspicious, non-corporate domain (zyaokkmo.cc) for 'AI enhancement.' While the logic aligns with the stated purpose of moderation, the combination of credential handling, shell execution, and data transmission to an untrusted endpoint presents a significant security risk.
Capability Tags
requires-sensitive-credentials
Capability Assessment
Purpose & Capability
The name/description (generic content-moderation for d.php sites) aligns with the included code (review.py) and rules.json: the script logs into an admin panel, fetches pending items and submits review decisions. However the registry metadata lists no required binaries while the code uses the system curl binary (via subprocess). The need for admin username/password is expected; requiring the TOTP seed (not just a one-time code) is more sensitive but explainable for unattended automation.
Instruction Scope
SKILL.md and DEPLOY/USAGE instruct connecting a VPN, providing admin credentials and the TOTP seed, and optionally sending content to a '技术部' moderation API. The docs also explicitly suggest sending rules.json to an external AI (Claude) to edit rules — that directs you to transmit configuration/content externally. The script will POST content it extracts to any api_url you configure, so if you set a third‑party api_url the skill will send item content (potentially sensitive) offsite. These behaviors broaden scope beyond local-only moderation and raise data-leak risk.
Install Mechanism
No install spec (instruction-only plus a Python script) — low install risk. It depends on Python stdlib and optionally requests; DEPLOY asks to pip install requests only if API is used. The code executes curl via subprocess; this is not an installation-time download but runtime use of a system binary. No remote archives or opaque installers are fetched by the skill itself.
Credentials
The skill does not request environment variables, but it requires sensitive credentials in a local config file: admin username/password and the TOTP seed. Requiring the TOTP seed (a persistent secret that can recreate 2FA tokens) is high-risk — many teams would avoid giving out seeds and prefer device-bound or short-lived approaches. The optional moderation API requires api_url and api_key; because api_url is arbitrary, a configured external service could receive all moderated content and any metadata added to requests (exfiltration risk). The config.example sets a non-obvious default api_url (https://zyaokkmo.cc) — this should be verified before use.
Persistence & Privilege
The skill is not always-enabled and doesn't request system-wide privileges. It creates a temporary cookie file for sessions and cleans up; it does not modify other skills or global agent configuration. Autonomous invocation is allowed (platform default) but not a new privilege introduced by this skill.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install tongyong-shenhe
  3. After installation, invoke the skill by name or use /tongyong-shenhe
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Initial release of "tongyong-shenhe" – a configurable, general-purpose content moderation skill for all d.php-based backend sites. - Built-in moderation rules for common violations; supports rule customization via `rules.json`. - Simple deployment: fill in site credentials to use; technical API integration (optional) for enhanced review. - Features dry-run safety mode; supports TOTP login and standard d.php interface formats. - Clear, real-time audit output and support for field-level configuration per site.
Metadata
Slug tongyong-shenhe
Version 1.0.0
License MIT-0
All-time Installs 1
Active Installs 1
Total Versions 1
Frequently Asked Questions

What is Tongyong Shenhe?

通用内容审核 Skill。配置驱动,适用于所有 d.php 后台站点。内置审核规则自动判断 + 可选技术部API增强。其他组只需填写站点账号密码即可使用,审核规则可自行修改适配。 It is an AI Agent Skill for Claude Code / OpenClaw, with 64 downloads so far.

How do I install Tongyong Shenhe?

Run "/install tongyong-shenhe" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Tongyong Shenhe free?

Yes, Tongyong Shenhe is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Tongyong Shenhe support?

Tongyong Shenhe is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Tongyong Shenhe?

It is built and maintained by wulooongcha (@wulooongcha); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 Comments