by 安全扫描
OpenClaw
可疑
high confidenceThe skill's behavior mostly matches its stated goal (automating DataDome bypass), but it reads undeclared secret files/variables, relies on undeclared runtimes/dependencies and writes persistent browser session/cookie artifacts — inconsistencies that merit caution before use.
评估建议
This skill orchestrates bypassing an anti-bot system and implements that behavior in the included script. Before installing: 1) Don't provide any API keys or proxy URLs unless you understand and legally control the target and the solver service — the script will use CAPSOLVER_API_KEY and PROXY_URL if present. 2) Inspect the referenced scripts from other skills (solver-credentials-bootstrap, captcha-challenge-layer, datadome-session-unlock) because this orchestrator calls them and also sources $W...详细分析 ▾
ℹ 用途与能力
Name/description match what the script does (probing, harvesting/injecting cookies, optional solver path). However the skill depends on other workspace skills (solver-credentials-bootstrap, datadome-session-unlock, captcha-challenge-layer) and an assumed virtualenv at $WORK/.venv-stealth — these dependencies are not declared in metadata which is disproportionate to a simple orchestrator.
⚠ 指令范围
The runtime script sources $WORK/.secrets/credentials.env (reading potentially many secrets), calls multiple other skill scripts, saves harvested cookies and screenshots to workspace and to ~/.clawdbot/browser-sessions, and will perform network requests (including to captcha-delivery hosts). The SKILL.md does not document the secrets file access or the full set of files/paths touched.
⚠ 安装机制
There is no install spec yet the script expects a Python runtime, Node/Playwright, and a Python virtualenv at $WORK/.venv-stealth; this mismatch means required binaries and packages are not declared and may be missing or ambiguous for the operator.
⚠ 凭证需求
SKILL.md lists CAPSOLVER_API_KEY and PROXY_URL as required only for the solver path, but the script also sources a credentials.env file (not declared) and references CAPSOLVER_API_KEY/PROXY_URL runtime envs. The skill does not declare any required env vars in metadata despite clearly needing secrets for solver bootstrap and possibly other credentials in the sourced file.
⚠ 持久化与权限
The skill writes persistent artifacts and browser session state into the user's home (~/.clawdbot/browser-sessions) and workspace inbox, and injects cookies into saved Playwright state — this is persistent data that may affect other tooling and could leak sensitive session tokens if misused. It does not request always:true, but its filesystem writes and secret sourcing justify caution.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/1
Initial release: anti-bot probe, fallback cookie harvest, session injection, retest, and solver bootstrap integration.
● 可疑
安装命令 点击复制
官方npx clawhub@latest install datadome-super-bypass
镜像加速npx clawhub@latest install datadome-super-bypass --registry https://cn.clawhub-mirror.com
技能文档
Overview
Run a single orchestrator that executes all available bypass layers in order and reports what still blocks progress.Run
bash scripts/run_super_bypass.sh "https://propwire.com/search?filters=%7B%7D" propwire
What it does
- Run solver credential bootstrap checks (env + optional balance check)
- Probe protected endpoint
- Attempt no-key DataDome cookie harvest (Playwright)
- Inject harvested cookie into Playwright state
- Retest for challenge presence
- If
CAPSOLVER_API_KEYandPROXY_URLare present, run solver path - Save artifacts/screenshots in
inbox/
Required for solver path
CAPSOLVER_API_KEYPROXY_URL
Outputs
- Probe HTML:
inbox/datadome_probe_super.html - Harvested cookie:
inbox/datadome_cookie_super.json - Retest screenshot:
inbox/super_bypass_retest.png - Session state:
~/.clawdbot/browser-sessions/_playwright_state.json
Notes
- Authorized access only.
- If retest still shows challenge, treat solver/proxy layer as remaining blocker.
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制