Agent Browser Stealth — 技能工具

Name: Agent Browser Stealth — 技能工具
Author: bfchain2-hub

bfchain2-hub

🎭 Agent Browser Stealth — 技能工具

v1.0.0

[自动翻译] Stealth browser automation with anti-detection. Launches Chromium with fingerprint randomization, webdriver flag removal, Canvas/WebGL spoofing, and p...

0· 92·0 当前·0 累计

by @bfchain2-hub·MIT-0

浏览器自动化自动化智能体开发工具

下载技能包

License

MIT-0

最后更新

2026/3/27

安全扫描

VirusTotal

无害

查看报告

OpenClaw

可疑

medium confidence

The skill does what it says (Playwright-based stealth automation) but contains behaviors that can capture sensitive inputs and persist session state without clear warnings, so its requirements and runtime actions are broader/riskier than the description implies.

评估建议

This skill is coherent with its stealth automation goal, but exercise caution before using it with real accounts or sensitive targets. Specific things to consider before installing or running: - 'snapshot' can capture input values (it records element.value slices), which may include passwords or tokens — avoid running snapshot on pages with credentials or remove/modify value-capture in the script. - The script writes a local session file (.session.json) and may save Playwright storageState fi...

详细分析 ▾

ℹ 用途与能力

Using Playwright and Chromium launch flags is consistent with the stated purpose of anti-detection automation. The included JS implements the claimed stealth techniques (navigator.webdriver masking, canvas/webgl spoofing, permissions override). However the snapshot feature also reads input 'value' attributes and returns them — a capability that can expose passwords or other sensitive fields and is not called out as a privacy/security caveat in SKILL.md.

⚠ 指令范围

SKILL.md instructs running the provided script and to use --continue to persist sessions but does not warn that 'snapshot' will collect element values (including input values), that a local .session.json is written, or that the script will attempt to connect to a CDP endpoint at http://localhost:9222 when resuming. The script also overrides Permissions API responses (for notifications/geolocation/etc.), which changes page behavior beyond simple navigation. These actions widen the agent's read/write scope and could leak sensitive data if used with real credentials or exposed CDP ports.

✓ 安装机制

There is no automated installer in the registry entry; SKILL.md recommends installing Playwright via npm/npx (a standard, expected approach). No remote, untrusted binary downloads or extract-from-arbitrary-URL installs are present in the package files. Network access to npm is required by the user to obtain Playwright.

⚠ 凭证需求

The skill declares no credentials or env vars, which fits its purpose, but it still reads/writes local session files (.session.json and user-provided storageState files) and returns captured page element metadata and input values. That local file I/O and the ability to capture input values are disproportionate to a user expectation of 'stealth' — they introduce a credential-exposure risk even though no external secrets are requested.

ℹ 持久化与权限

always:false (no forced persistence), and the skill only writes a local .session.json to track active sessions (normal for session reuse). It also attempts to connect to a local CDP at http://localhost:9222 when resuming (only localhost). These are moderate privileges but not platform-global; still, resuming via CDP could behave unexpectedly if a CDP endpoint is forwarded/exposed.

安全有层次，运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发，无需署名。

查看条款 ↗

运行时依赖

🖥️ OSmacOS · Linux · Windows

版本

latestv1.0.02026/3/27

agent-browser-stealth 1.0.0 - Initial release of a stealth browser automation tool for evading detection on bot-protected sites. - Launches Chromium with multiple anti-detection techniques: fingerprint randomization, webdriver flag removal, Canvas/WebGL spoofing, and permissions API masking. - Provides CLI commands for opening pages, interacting with elements via refs, inspecting page data, and session management. - Supports Playwright session persistence for repeatable logins. - Designed for use cases like web scraping, login automation, and accessing protected content.

● 无害

安装命令点击复制

官方npx clawhub@latest install agent-browser-stealth-xyh

镜像加速npx clawhub@latest install agent-browser-stealth-xyh --registry https://cn.clawhub-mirror.com

技能文档

Anti-detection browser automation built on Playwright. Launches Chromium with layered stealth to evade bot detection on protected sites.

Architecture

agent-browser-stealth
└── stealth-launch.js    # Playwright + CDP stealth wrapper
    ├── Removes navigator.webdriver
    ├── Spoofs Canvas/WebGL fingerprints
    ├── Masks chrome.runtime
    ├── Patches Permissions API
    ├── Hides automation CSS flags
    └── Preserves full Playwright functionality

Commands

# Launch and navigate node scripts/stealth-launch.js open https://example.com # Get interactive elements (ref-based) node scripts/stealth-launch.js snapshot # → Returns refs e1, e2, e3... with element metadata # Interact node scripts/stealth-launch.js click e3 node scripts/stealth-launch.js fill e2 "text to fill" node scripts/stealth-launch.js type e2 "typed slowly" node scripts/stealth-launch.js press Enter # Inspect node scripts/stealth-launch.js screenshot [path] node scripts/stealth-launch.js get text e1 node scripts/stealth-launch.js get attr e5 href node scripts/stealth-launch.js get value e2

# Close node scripts/stealth-launch.js close

Snapshot Refs

snapshot returns numbered refs (e1, e2, ...) — use these for subsequent interactions:

1. [a] "Sign In" → /login
[input] placeholder="Email"
[input] type=password
[button] "Submit"

Then:

node scripts/stealth-launch.js click e1    # click Sign In
node scripts/stealth-launch.js fill e2 "user@example.com"
node scripts/stealth-launch.js fill e3 "password"
node scripts/stealth-launch.js click e4      # Submit

Stealth Layers

Layer	Technique
WebDriver Flag	`Object.defineProperty(navigator, 'webdriver', { get: () => undefined })`
Chrome Runtime	`chrome.runtime` nullified
Canvas Fingerprint	`getImageData` returns noise instead of real data
WebGL Vendor/Renderer	Spoofed to Intel Iris OpenGL Engine
Permissions API	Returns `granted` for notifications/geolocation
getComputedStyle	Animations/transition stripped
Viewport	Randomized within 1280-1330 × 900-950

Installation

npm install -g playwright
npx playwright install chromium

The skill uses Playwright as a local dependency via npx — no global install of stealth plugins needed.

Session Persistence

For login persistence, use Playwright's built-in storageState:

// In scripts/stealth-session.js — save auth after login
import { chromium } from 'playwright';const browser = await chromium.launch({ 
  headless: true,
  args: ['--disable-blink-features=AutomationControlled', '--no-sandbox']
});
const page = await browser.newPage();
// ... perform login ...
await page.context().storageState({ path: 'auth.json' });
// Next run:
const browser = await chromium.launch({ headless: true });
const context = await browser.newContext({ storageState: 'auth.json' });

Anti-Detection Testing

Test stealth effectiveness:

node scripts/stealth-launch.js open https://bot.sannysoft.com
node scripts/stealth-launch.js snapshot
# All checks should show green/undetected

Limitations

Cloudflare JS Challenge: May require headed mode + manual solve
CAPTCHAs: Requires external solver (2Captcha, etc.) — not built in
Very aggressive sites: May need proxy rotation (residential proxies)

Examples

Login to a Protected Site

node scripts/stealth-launch.js open https://target-site.com/login
node scripts/stealth-launch.js snapshot
node scripts/stealth-launch.js fill e1 "email@example.com"
node scripts/stealth-launch.js fill e2 "password"
node scripts/stealth-launch.js click e3
node scripts/stealth-launch.js screenshot
node scripts/stealth-launch.js close

Scrape Dynamic Content

node scripts/stealth-launch.js open https://news.site.com
node scripts/stealth-launch.js snapshot
# Identify article refs, then extract
node scripts/stealth-launch.js get html e5
node scripts/stealth-launch.js close

Stealth vs agent-browser

Feature	agent-browser	agent-browser-stealth
Anti-detection	❌ None	✅ 8 layers
Fingerprint spoofing	❌ None	✅ Canvas + WebGL
CDP-based	✅ Native Rust	✅ Playwright
Session isolation	✅	✅
Complexity	Lightweight	Slightly heavier
Best for	General automation	Protected sites

Anti-detection browser automation built on Playwright. Launches Chromium with layered stealth to evade bot detection on protected sites.

Architecture

agent-browser-stealth
└── stealth-launch.js    # Playwright + CDP stealth wrapper
    ├── Removes navigator.webdriver
    ├── Spoofs Canvas/WebGL fingerprints
    ├── Masks chrome.runtime
    ├── Patches Permissions API
    ├── Hides automation CSS flags
    └── Preserves full Playwright functionality

Commands

# Launch and navigate node scripts/stealth-launch.js open https://example.com # Get interactive elements (ref-based) node scripts/stealth-launch.js snapshot # → Returns refs e1, e2, e3... with element metadata # Interact node scripts/stealth-launch.js click e3 node scripts/stealth-launch.js fill e2 "text to fill" node scripts/stealth-launch.js type e2 "typed slowly" node scripts/stealth-launch.js press Enter # Inspect node scripts/stealth-launch.js screenshot [path] node scripts/stealth-launch.js get text e1 node scripts/stealth-launch.js get attr e5 href node scripts/stealth-launch.js get value e2

# Close node scripts/stealth-launch.js close

Snapshot Refs

snapshot returns numbered refs (e1, e2, ...) — use these for subsequent interactions:

1. [a] "Sign In" → /login
[input] placeholder="Email"
[input] type=password
[button] "Submit"

Then:

node scripts/stealth-launch.js click e1    # click Sign In
node scripts/stealth-launch.js fill e2 "user@example.com"
node scripts/stealth-launch.js fill e3 "password"
node scripts/stealth-launch.js click e4      # Submit

Stealth Layers

Layer	Technique
WebDriver Flag	`Object.defineProperty(navigator, 'webdriver', { get: () => undefined })`
Chrome Runtime	`chrome.runtime` nullified
Canvas Fingerprint	`getImageData` returns noise instead of real data
WebGL Vendor/Renderer	Spoofed to Intel Iris OpenGL Engine
Permissions API	Returns `granted` for notifications/geolocation
getComputedStyle	Animations/transition stripped
Viewport	Randomized within 1280-1330 × 900-950

Installation

npm install -g playwright
npx playwright install chromium

The skill uses Playwright as a local dependency via npx — no global install of stealth plugins needed.

Session Persistence

For login persistence, use Playwright's built-in storageState:

// In scripts/stealth-session.js — save auth after login
import { chromium } from 'playwright';const browser = await chromium.launch({ 
  headless: true,
  args: ['--disable-blink-features=AutomationControlled', '--no-sandbox']
});
const page = await browser.newPage();
// ... perform login ...
await page.context().storageState({ path: 'auth.json' });
// Next run:
const browser = await chromium.launch({ headless: true });
const context = await browser.newContext({ storageState: 'auth.json' });

Anti-Detection Testing

Test stealth effectiveness:

node scripts/stealth-launch.js open https://bot.sannysoft.com
node scripts/stealth-launch.js snapshot
# All checks should show green/undetected

Limitations

Cloudflare JS Challenge: May require headed mode + manual solve
CAPTCHAs: Requires external solver (2Captcha, etc.) — not built in
Very aggressive sites: May need proxy rotation (residential proxies)

Examples

Login to a Protected Site

node scripts/stealth-launch.js open https://target-site.com/login
node scripts/stealth-launch.js snapshot
node scripts/stealth-launch.js fill e1 "email@example.com"
node scripts/stealth-launch.js fill e2 "password"
node scripts/stealth-launch.js click e3
node scripts/stealth-launch.js screenshot
node scripts/stealth-launch.js close

Scrape Dynamic Content

node scripts/stealth-launch.js open https://news.site.com
node scripts/stealth-launch.js snapshot
# Identify article refs, then extract
node scripts/stealth-launch.js get html e5
node scripts/stealth-launch.js close

Stealth vs agent-browser

Feature	agent-browser	agent-browser-stealth
Anti-detection	❌ None	✅ 8 layers
Fingerprint spoofing	❌ None	✅ Canvas + WebGL
CDP-based	✅ Native Rust	✅ Playwright
Session isolation	✅	✅
Complexity	Lightweight	Slightly heavier
Best for	General automation	Protected sites

数据来源：ClawHub ↗ · 中文优化：龙虾技能库

OpenClaw 技能定制 / 插件定制 / 私有工作流定制

免费技能或插件可能存在安全风险，如需更匹配、更安全的方案，建议联系付费定制

了解定制服务

License

运行时依赖

版本

安装命令 点击复制

技能文档

Architecture

Commands

Snapshot Refs

Stealth Layers

Installation

Session Persistence

Anti-Detection Testing

Limitations

Examples

Login to a Protected Site

Scrape Dynamic Content

Stealth vs agent-browser

Architecture

Commands

Snapshot Refs

Stealth Layers

Installation

Session Persistence

Anti-Detection Testing

Limitations

Examples

Login to a Protected Site

Scrape Dynamic Content

Stealth vs agent-browser

安装命令点击复制