by 安全扫描
OpenClaw
可疑
medium confidence该技能的代码和指令与其所述目的(PC浏览器自动化)一致,它使用浏览器自动化技术进行交互,请求适当的配置,不请求无关的凭证或意外端点。
评估建议
此技能似乎确实做到了它声称的:PC浏览器自动化工具,用于网页交互和操作。安装或运行之前:1) 确认您对授予浏览器访问权限感到满意——该工具可以访问任何URL。2) 仅将其用于您有权访问的网站,避免访问受保护的内容,除非您完全信任设置。3) 技能不请求凭证,但注意不要向脚本传递敏感的URL或凭证,除非您信任整个工具链。4) 如果您想要更高的保证,请在运行前在本地审查包含的脚本。...详细分析 ▾
⚠ 用途与能力
Name/description claim simple browser automation. However the included docs reference requiring an ANTHROPIC_API_KEY and optional Browserbase keys (BROWSERBASE_API_KEY, BROWSERBASE_PROJECT_ID) and an npm-installed CLI. The registry metadata declares no required env vars or binaries — that mismatch is unexplained. A legitimate CLI-based browser skill would reasonably need an API key for the model or Browserbase creds and a real install spec; the absence of those in the manifest is inconsistent.
⚠ 指令范围
SKILL.md instructs automatic environment selection by checking a .env file for Browserbase keys and says selection occurs with 'No user prompting', implying the agent should read local config without asking. It also instructs running `npm install` and `npm link` and to use a persistent Chrome profile (.chrome-profile/) and agent download folder, which involves reading/writing local files, persisting cookies/sessions, and creating a global command — all outside a minimal 'read-only browse' scope and potentially exposing sensitive data (API keys, session cookies).
⚠ 安装机制
There is no formal install spec in the registry, but SKILL.md/setup.json explicitly instructs `npm install` and `npm link`. That would modify disk and create a global binary. The skill bundle itself contains no code files or package manifest, so `npm install` may fail here — but the instructions still encourage installing arbitrary Node dependencies which is a high-risk action because it can fetch and run code from the network and alter the host environment.
⚠ 凭证需求
The skill manifest claims no required env vars, yet the docs require/encourage ANTHROPIC_API_KEY and optionally BROWSERBASE_API_KEY and BROWSERBASE_PROJECT_ID. The instructions tell the agent to check .env automatically. Requesting model API keys and remote service keys is plausible for AI-driven automation, but the lack of declaration in the registry and the automatic, non-interactive checking of local .env is disproportionate and risks accidental credential exposure or silent use of remote services.
⚠ 持久化与权限
The setup flow recommends `npm link` to create a global 'browser' command (system-wide change) and uses a persistent Chrome profile directory (.chrome-profile/) that preserves cookies and sessions between runs. The skill does not set always:true, but the instructions still request persistent artifacts and global CLI installation which increases blast radius and privacy risk if installed without inspection.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/2/6
初始版本,支持PC浏览器自动化
● 可疑
安装命令 点击复制
官方npx clawhub@latest install browser-pc
镜像加速npx clawhub@latest install browser-pc --registry https://cn.clawhub-mirror.com
技能文档
Automate browser interactions using Stagehand CLI with Claude.
第一个: Environment Selection (Local vs Remote)
The skill automatically selects between local and remote browser environments:
- 如果 Browserbase API keys exist (BROWSERBASE_API_KEY 和 BROWSERBASE_PROJECT_ID 在...中 .env file): Uses remote Browserbase environment
- 如果 否 Browserbase API keys: Falls back 到 local Chrome browser
- 否 用户 prompting: selection happens automatically based 在...上 可用 configuration
Setup (第一个 时间 仅)
Check setup.json in this directory. If setupComplete: false:
npm install # Install dependencies
npm link # Create global 'browser' command
Commands
All commands work identically in both modes:
browser navigate # Go to URL
browser act "" # Natural language action
browser extract "" ['{}'] # Extract data (optional schema)
browser observe "" # Discover elements
browser screenshot # Take screenshot
browser close # Close browser
Quick 示例
browser navigate https://example.com
browser act "click the Sign In button"
browser extract "get the page title"
browser close
Mode Comparison
| Feature | Local | Browserbase |
|---|---|---|
| Speed | Faster | Slightly slower |
| Setup | Chrome required | API key required |
| Stealth mode | No | Yes |
| Proxy/CAPTCHA | No | Yes |
| Best for | Development | Production/scraping |
Best Practices
- Always navigate 第一个 之前 interacting
- 视图 screenshots 之后 每个 command 到 验证
- specific 在...中 action descriptions
- 关闭 browser 当...时 已完成
Troubleshooting
- Chrome 不 found: Install Chrome 或 使用 Browserbase mode
- Action fails: 使用
browser observe到 discover 可用 elements - Browserbase fails: 验证 API 键 和 project ID 设置
For detailed examples, see EXAMPLES.md. For API reference, see REFERENCE.md.
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制