Qiaomu AI Access
Detect first, ask second, stay inside legal and platform boundaries.
Router Rules
- Use this skill when the user's goal is environment-signal transparency before using AI websites, APIs, or top AI models.
- Use it when the user asks to identify "中国用户特征", "China user signals", "AI access signals", browser language/timezone/font/emoji signals, or
isChinaUserresults. - If the user asks directly for VPN/proxy purchase, IP masking, account-region laundering, KYC/payment misrepresentation, CAPTCHA bypass, device-fingerprint evasion, or sanctions/geofence bypass, do not run an evasion workflow. Briefly refuse that part and offer the safe detection and privacy-hygiene workflow.
- Do not treat nationality, ethnicity, residence, or legal eligibility as something this skill can determine. It only reports runtime signals.
Workflow
-
State the boundary in one sentence: this skill checks signals and can suggest compliant privacy hygiene, but it does not help bypass service restrictions or misrepresent identity/location.
-
Run the detector from the repository root after dependencies are installed:
npm install npm run detect:browser -- --output reports/latest-ai-access-check.mdIf the user explicitly agrees to remote network probes, run:
npm run detect:full -- --output reports/latest-ai-access-check.md -
Show the user the high-level status, coverage level, and signal table. Treat
runtime,browser, andnetworkcoverage separately; do not overstate skipped or unavailable layers. -
Ask this exact confirmation before any follow-up hygiene advice:
是否继续做合规隐私卫生检查?我可以帮你减少 prompt、浏览器偏好和工作区说明里不必要的地域信号;不会帮助绕过平台地域限制、伪装 IP/身份、规避风控或违反服务条款。 -
If the user says yes, provide only non-destructive, compliant steps:
- prefer official AI services, models, regions, and payment paths available to the user;
- use English prompts/UI preferences when the goal is English model behavior or documentation quality;
- keep a separate browser profile for AI work to reduce cookie/history/permission mixing;
- remove unnecessary location claims from prompts, docs, and profile snippets when they are not relevant;
- explain that changing system language/timezone to misrepresent location or bypass controls is outside this skill.
-
If the user says no or seems unsure, stop after the report and offer to save it for later.
Output Contract
reports/latest-ai-access-check.mdwhen the detector is run with--output.- A concise status:
china-signals-detected,no-china-signal-detected, orinconclusive. - A coverage table for
runtime,browser, andnetwork. - A signal table with source, value, and notes.
- The required consent prompt.
- Clear unavailable/missing-evidence labels for browser-only or network-only signals not measured in the current run.
Runtime Notes
- The first-step detector imports the npm package
is-china-user. - Node.js can reliably inspect timezone and limited runtime locale data.
- Browser coverage uses a temporary Playwright Chromium/headless-shell context, injects the installed
is-china-userpackage bundle into that page, and does not read a personal browser profile. - DOM/canvas-based emoji and font checks should be interpreted from the browser layer, not from Node-only runs.
- Optional network probing is off by default because it creates real remote requests and is noisy under proxies, extensions, DNS failures, or offline conditions.
- The upstream package currently has no declared license in GitHub/npm metadata, so this skill depends on it without vendoring its source.
Validation
Run before publishing changes:
npm test
npm run smoke:browser
npm run validate:skill
npm run eval:trigger
npm run export:ir
npm run secret:scan
Release Boundary
- Public claims must match the validation output.
- Do not publish secrets, local browser profiles, cookies,
.envfiles, network credentials, or screenshots containing account data. - Keep the README Chinese-first bilingual for Qiaomu-owned public releases.