← 返回 Skills 市场
Tongyong Shenhe
作者
wulooongcha
· GitHub ↗
· v1.0.0
· MIT-0
64
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install tongyong-shenhe
功能描述
通用内容审核 Skill。配置驱动,适用于所有 d.php 后台站点。内置审核规则自动判断 + 可选技术部API增强。其他组只需填写站点账号密码即可使用,审核规则可自行修改适配。
安全使用建议
Before installing or running this skill, consider the following: 1) The script requires admin credentials and the TOTP seed — giving the seed grants long-term 2FA capability, so avoid supplying it unless you trust the operator; prefer a service account with limited permissions or use manual/interactive TOTP entry. 2) The skill uses system curl and expects a VPN interface (ppp0); the registry metadata did not declare curl — verify your environment and run in an isolated/test account first. 3) The moderation API is optional but accepts an arbitrary api_url and api_key; double-check the URL (the example domain looks unfamiliar). If you configure an external API, you will be sending full item text and metadata offsite — only enable this for trusted internal endpoints. 4) The docs explicitly suggest sending rules.json (and possibly example content) to external AI services (e.g., Claude) — this can leak policy or sample content; avoid sending sensitive examples. 5) Run the tool in --dry-run mode first; audit review.py yourself (search for unexpected network endpoints or hidden behavior), and consider executing it from a network-isolated environment or with network controls to prevent unintended exfiltration. If you want, I can list exact lines in review.py to inspect and suggest safer configuration alternatives (e.g., avoid storing TOTP seed, restrict api_url to internal hostnames).
功能分析
Type: OpenClaw Skill
Name: tongyong-shenhe
Version: 1.0.0
The skill is designed to automate content moderation on 'd.php' framework sites but exhibits several high-risk behaviors. It requires sensitive administrative credentials, including a TOTP seed (Base32 secret), and uses subprocess to execute system 'curl' commands for network requests. Most notably, it optionally exfiltrates content to an external API hosted on a suspicious, non-corporate domain (zyaokkmo.cc) for 'AI enhancement.' While the logic aligns with the stated purpose of moderation, the combination of credential handling, shell execution, and data transmission to an untrusted endpoint presents a significant security risk.
能力标签
能力评估
Purpose & Capability
The name/description (generic content-moderation for d.php sites) aligns with the included code (review.py) and rules.json: the script logs into an admin panel, fetches pending items and submits review decisions. However the registry metadata lists no required binaries while the code uses the system curl binary (via subprocess). The need for admin username/password is expected; requiring the TOTP seed (not just a one-time code) is more sensitive but explainable for unattended automation.
Instruction Scope
SKILL.md and DEPLOY/USAGE instruct connecting a VPN, providing admin credentials and the TOTP seed, and optionally sending content to a '技术部' moderation API. The docs also explicitly suggest sending rules.json to an external AI (Claude) to edit rules — that directs you to transmit configuration/content externally. The script will POST content it extracts to any api_url you configure, so if you set a third‑party api_url the skill will send item content (potentially sensitive) offsite. These behaviors broaden scope beyond local-only moderation and raise data-leak risk.
Install Mechanism
No install spec (instruction-only plus a Python script) — low install risk. It depends on Python stdlib and optionally requests; DEPLOY asks to pip install requests only if API is used. The code executes curl via subprocess; this is not an installation-time download but runtime use of a system binary. No remote archives or opaque installers are fetched by the skill itself.
Credentials
The skill does not request environment variables, but it requires sensitive credentials in a local config file: admin username/password and the TOTP seed. Requiring the TOTP seed (a persistent secret that can recreate 2FA tokens) is high-risk — many teams would avoid giving out seeds and prefer device-bound or short-lived approaches. The optional moderation API requires api_url and api_key; because api_url is arbitrary, a configured external service could receive all moderated content and any metadata added to requests (exfiltration risk). The config.example sets a non-obvious default api_url (https://zyaokkmo.cc) — this should be verified before use.
Persistence & Privilege
The skill is not always-enabled and doesn't request system-wide privileges. It creates a temporary cookie file for sessions and cleans up; it does not modify other skills or global agent configuration. Autonomous invocation is allowed (platform default) but not a new privilege introduced by this skill.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install tongyong-shenhe - 安装完成后,直接呼叫该 Skill 的名称或使用
/tongyong-shenhe触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
- Initial release of "tongyong-shenhe" – a configurable, general-purpose content moderation skill for all d.php-based backend sites.
- Built-in moderation rules for common violations; supports rule customization via `rules.json`.
- Simple deployment: fill in site credentials to use; technical API integration (optional) for enhanced review.
- Features dry-run safety mode; supports TOTP login and standard d.php interface formats.
- Clear, real-time audit output and support for field-level configuration per site.
元数据
常见问题
Tongyong Shenhe 是什么?
通用内容审核 Skill。配置驱动,适用于所有 d.php 后台站点。内置审核规则自动判断 + 可选技术部API增强。其他组只需填写站点账号密码即可使用,审核规则可自行修改适配。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 64 次。
如何安装 Tongyong Shenhe?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install tongyong-shenhe」即可一键安装,无需额外配置。
Tongyong Shenhe 是免费的吗?
是的,Tongyong Shenhe 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Tongyong Shenhe 支持哪些平台?
Tongyong Shenhe 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Tongyong Shenhe?
由 wulooongcha(@wulooongcha)开发并维护,当前版本 v1.0.0。
推荐 Skills