by 安全扫描
OpenClaw
安全
high confidenceThe skill's code, instructions, and examples are consistent with its stated purpose (storing, refreshing, and serving session cookies); there are no unexpected credential requests or remote installers—but it persists sensitive cookies to disk and includes an example local HTTP wrapper that could expose those cookies if misconfigured.
评估建议
This skill appears to do what it claims, but it handles highly sensitive data (session cookies). Before installing or running it: 1) Recognize that cookies stored under ~/.cookie_alive are secrets—restrict filesystem permissions, consider using a dedicated user or encrypted volume, and delete databases when no longer needed. 2) The examples include a local HTTP wrapper that defaults to 127.0.0.1 (safe) but can be bound to other interfaces—do not bind it to a public interface or network you do no...详细分析 ▾
✓ 用途与能力
The name/description (persist, refresh, serve cookies) matches the included scripts: a CLI that stores profiles in SQLite under ~/.cookie_alive, performs deterministic HTTP refresh requests, merges Set-Cookie updates, and returns cookies as a header/JSON/record. No unrelated cloud credentials, binaries, or install steps are requested.
ℹ 指令范围
SKILL.md and references describe only cookie storage/refresh/export operations and match the code. The examples run the CLI via subprocess and provide a local HTTP wrapper that exposes routes (/pull, /check, /list). That wrapper defaults to 127.0.0.1 but can be configured to bind elsewhere — if started on a public interface it could leak cookies. The runtime also writes databases under a home path (default ~/.cookie_alive), which is expected but means sensitive data is persisted to disk.
✓ 安装机制
No install spec and no external downloads. The skill is instruction/code-only and does not fetch or execute remote archives or third-party packages during installation. This minimizes install-time risk.
ℹ 凭证需求
The skill does not require secret environment variables or external credentials. It supports optional env overrides (COOKIE_ALIVE_HOME, SESSION_COOKIE_ONLINE_HOME, COOKIE_ALIVE_DB_NAME) which are reasonable. However, the tool persists sensitive cookie values in SQLite files under the resolved storage root; users should treat these as secrets and protect them accordingly.
✓ 持久化与权限
The skill does not request always:true and is user-invocable. It will create and update files under its own storage directory (~/.cookie_alive by default) but does not modify other skills or system-wide agent config. Autonomous invocation is allowed (platform default) but is not combined with other privilege escalations here.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/1
Session Cookie Online skill initial release: - Persist and refresh website session cookies using a local SQLite database. - Store, update, and retrieve session profiles via a CLI script. - Keep cookies alive by replaying deterministic HTTP keepalive requests on a schedule. - Merge Set-Cookie responses into the database and expose cookies to other programs. - Support input and output as HTTP Cookie headers or structured JSON maps. - Designed for lightweight session management without browser automation.
● 无害
安装命令 点击复制
官方npx clawhub@latest install cookie-alive
镜像加速npx clawhub@latest install cookie-alive --registry https://cn.clawhub-mirror.com
技能文档
Overview
Use this skill when a website session must stay alive without building a full browser-automation system.
The runtime script stores named session profiles in SQLite, replays a deterministic HTTP keepalive request, merges Set-Cookie updates back into the database, and exposes the current cookies to downstream programs.
Quick Start
- Pick a database name. The default is
default, which resolves to~/.cookie_alive/default.db. - Capture the current cookie as either a
Cookieheader string or a JSON object. - Store or update a named profile with
python {baseDir}/scripts/cookie_alive.py upsert .... - Validate the stored cookie with
python {baseDir}/scripts/cookie_alive.py get --profile. - Refresh it once with
python {baseDir}/scripts/cookie_alive.py refresh --profile. - Keep it alive with
python {baseDir}/scripts/cookie_alive.py run --profile.
Workflow Rules
- Prefer a lightweight authenticated endpoint for
--refresh-url, such as/ping,/me, or a low-cost page load. Avoid heavy pages when a cheaper endpoint exists. - Store cookies with
--cookie-headerwhen the source is browser devtools or another HTTP client. Store them with--cookie-jsonwhen the source is already structured. - Use
get --format headerwhen another program needs a literalCookieheader value. - Use
get --format recordorlistwhen another program needs metadata such asinterval_seconds,last_status_code, orlast_refreshed_at. - If the target site requires JavaScript timers, WebSocket traffic, or browser-only activity to stay logged in, use external browser automation to renew the cookie and write the updated cookie back with
upsert. This skill only performs deterministic HTTP requests.
Script
scripts/cookie_alive.py
References
references/commands.md
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制