← 返回 Skills 市场

违规词·发帖前合规检查

Name: 违规词·发帖前合规检查
Author: kong-zi-chg

作者 kong-zi-chg · GitHub ↗ · v1.0.1

cross-platform ⚠ suspicious

379

总下载

当前安装

版本数

在 OpenClaw 中安装

/install compliance-check

功能描述

违规词·与多個免費齊全持續更新的詞庫對比，通過再上架；開箱即用，不用自己加詞。Use when user asks 合规检查, 敏感词, 违规词, 发帖前检查, 内容审核.

使用说明 (SKILL.md)

\r \r

违规词·发帖前合规检查\r

\r 跟多個免費、齊全、持續更新的詞庫對比，沒問題才上架。開箱即用，不用用戶自己增加詞庫，付費就是省事。\r \r

When to use\r

User says 检查这段文案、违规词、敏感词、发前合规、上架前检查\r
User pastes draft and wants to know if it’s safe to post / compliant\r \r

How to run\r

python scripts/check.py "待检查的文案内容"\r
python scripts/check.py --file path/to/draft.txt\r
python scripts/check.py "文案" --format report\r
```\r
\r
**用戶無需**執行 sync、無需自己添加詞庫；技能自帶多詞庫，直接檢查即可。\r
\r
## 詞庫（開箱即用）\r
\r
- 內建：廣告法（絕對化/誇張、迷信與醫療）、平台通用（辱罵與違禁、拼音與變體等）。\r
- 已同步的免費詞庫：英文違禁、中文違禁、廣告類型、補充詞庫、色情類型、反動、暴恐、其他等（見 `config/wordlists/`）。全部參與對比，無需用戶維護。\r
- 自訂（可選）：`config/sensitive_words.txt` 可加自己想擋的詞，非必須。\r
\r
## Output\r
\r
- **JSON**：`pass`、`report_short`、`summary_zh`、`hits_by_source`、`compliance_tips`、可選 `suggestions`。\r
- **--format report**：Markdown 報告，可直接展示。\r
\r
## Permissions / SkillPay\r
\r
僅讀取用戶傳入文案與技能內詞庫；不寫用戶系統、不代發。可接 SkillPay 按次計費，每次執行計 1 次。\r

安全使用建议

This skill is largely consistent with its stated purpose (local multi-wordlist content checks) and ships many pre-populated wordlists. Before installing or running it, note these points: (1) The check script will try to find DEEPSEEK_API_KEY not only from environment but by reading files such as ~/.env and ~/.openclaw/.env — review those files first because they may contain unrelated secrets. (2) If a DEEPSEEK_API_KEY is available, the tool will send portions of the checked text to https://api.deepseek.com for AI suggestions; only enable that if you trust that service and are comfortable with sending content. (3) The repository includes an HTTP server script (api_server.py) that binds 0.0.0.0 and sets Access-Control-Allow-Origin: * — don't run it on a public network interface unless you intentionally want to expose the endpoint. (4) sync_wordlists.py fetches wordlists from public raw GitHub URLs when run; running it will write files under config/wordlists/. (5) If you prefer stricter behavior, remove or modify the code paths that read home dotfiles and that call external APIs (or ensure DEEPSEEK_API_KEY is not set). Run the tool in an isolated environment (container/VM) or audit/modify the scripts to remove unwanted file reads or network calls before use.

功能分析

Type: OpenClaw Skill Name: compliance-check Version: 1.0.1 The skill bundle provides a content moderation tool but contains several high-risk security practices. `scripts/check.py` attempts to discover API keys by searching sensitive local files including `~/.env` and `~/.openclaw/.env`. Furthermore, `scripts/api_server.py` implements an unauthenticated HTTP server that listens on all network interfaces (`0.0.0.0`) with permissive CORS (`*`), potentially exposing the tool and the user's API keys to unauthorized access. The `scripts/sync_wordlists.py` script also fetches content from multiple external GitHub repositories, which presents a supply chain risk if those sources are compromised.

能力评估

ℹ Purpose & Capability

Name/description match the included functionality: multiple bundled wordlists, local checking, optional sync. The presence of sync_wordlists.py (fetching remote wordlists) and api_server.py (HTTP endpoint) is explainable for maintainers and integrators. However, the README/SKILL.md claim the skill only reads user-provided text and its internal wordlists; the implementation also looks for DEEPSEEK_API_KEY in environment and multiple local dotfiles (e.g. ~/.env, ~/.openclaw/.env, email.env) which is not the obvious scope of a pure local checker.

⚠ Instruction Scope

SKILL.md instructs using scripts/check.py and states it only reads the user-supplied text and bundled wordlists. But check.py includes logic that (a) will attempt to read local env files (~/.env, ~/.openclaw/.env, email.env) to discover DEEPSEEK_API_KEY, and (b) will call an external API (https://api.deepseek.com/v1/chat/completions) when that key is present. api_server.py opens an HTTP server bound to 0.0.0.0 and responds to POST /check with CORS '*' — network behavior is broader than the SKILL.md’s minimal examples. Reading user home dotfiles and exposing an HTTP API are scope expansions the SKILL.md did not clearly disclose.

✓ Install Mechanism

No install spec; code is instruction-only with bundled scripts and wordlists. There is no remote install or archive extraction in the package itself. sync_wordlists.py can fetch remote wordlists when explicitly run; those sources are public GitHub raw URLs (expected for wordlist syncing).

⚠ Credentials

The package declares no required env vars, but the code will use DEEPSEEK_API_KEY if present — and will proactively search common dotfiles (~/.env, ~/.openclaw/.env, email.env) for that key. Searching arbitrary local env files risks reading unrelated secrets on the host and is not declared as a permission/requirement in SKILL.md. Transmitting text to api.deepseek.com occurs only when a key is found, but that transmission path is not fully highlighted in the runtime instructions (only a brief README note about optional AI suggestions).

ℹ Persistence & Privilege

always is false and there is no automatic modification of system-wide configs. However, api_server.py can be started to bind to 0.0.0.0 with CORS '*' which could expose the check functionality over the network if a user runs it — a benign feature but one with operational risk if started on an internet-facing host. sync_wordlists.py writes into the package's config/wordlists/ directory only when intentionally executed.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install compliance-check
安装完成后，直接呼叫该 Skill 的名称或使用 /compliance-check 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.1

- Removed 8 documentation and deployment guide files for a leaner package. - No changes to core functionality or usage. - Main documentation and usage instructions retained in SKILL.md and 上传说明.txt.

v1.0.0

- Initial release of compliance-check skill for pre-post content compliance. - Automatically compares text against multiple free, up-to-date keyword lists. - No user-maintained wordlists needed—built-in libraries include advertising, abusive, prohibited, and more. - User can check drafts via simple command; optional custom wordlist is supported. - Outputs results in JSON or ready-to-display Markdown report format. - Requires only read access to input content and internal wordlists; supports SkillPay per-check billing.

元数据

Slug compliance-check

版本 1.0.1

许可证 —

累计安装 2

当前安装数 2

历史版本数 2

常见问题