by 安全扫描
OpenClaw
可疑
high confidence该技能是一个针对 Camofox 服务器的连贯远程封装器,但注册元数据遗漏了必需的 CAMOFOX_URL 环境变量,且运行时指令明确将所有页面内容(快照、截图、输入文本、导航)发送至外部 HTTP 端点——因此你只能将其指向你控制的服务器,元数据不匹配是一个危险信号。
评估建议
Key things to consider before 安装ing: (1) The 技能.md requires CAMOFOX_URL but the registry metadata does not 列出 any required env vars — ask the publisher to correct that. (2) This 技能 will 发送 page snapshots, screenshots, typed text and navigation metadata to whatever CAMOFOX_URL you 设置 — only point it at a server you control/trust (运行 your own Camofox contAIner locally or in an isolated network). (3) Do not 设置 CAMOFOX_URL to a third‑party or unknown 端点 if you will interact with 凭证s, personal data, ...详细分析 ▾
⚠ 用途与能力
The 技能.md and included scripts clearly require a CAMOFOX_URL (and optionally CAMOFOX_会话 / HTTPS_PROXY), write 状态 to /tmp, and drive an external browser over HTTP. But the registry metadata 列出s no required 环境 variables or primary 凭证 — that is inconsistent. The code files and templates are consistent with the 状态d purpose (remote-mode browser 自动化), so the mAIn coherence problem is the missing CAMOFOX_URL declaration in the metadata.
⚠ 指令范围
运行time instructions and the script 发送 snapshots, screenshots, typed text, tab IDs and navigation 历史 to whatever CAMOFOX_URL is 设置 to (via curl). The 技能.md warns users to only point at a server they control, which is 应用ropriate, but this behavior means pointing CAMOFOX_URL at an attacker-controlled host would exfiltrate sensitive browsing data. The scripts also read/write local 状态 files (/tmp/camofox-状态 and /tmp/camofox-screenshots) and reference local paths in templates (e.g., $HOME/.claude/技能s...), which is expected for this 工具.
✓ 安装机制
There is no 安装 spec; the 技能 is instruction/script-based and 运行s local bash/python3/curl commands already present on the host. That is low-risk compared to 下载ing and executing remote 归档s. The bundle does include executable scripts and templates that will be 运行 locally if invoked.
⚠ 凭证需求
The 运行time requires CAMOFOX_URL (mandatory), CAMOFOX_会话 (optional) and optionally HTTPS_PROXY, but the registry metadata omitted these requirements. No cloud 凭证s are 请求ed (good), however the required CAMOFOX_URL grants the remote server full visibility into snapshots, screenshots, typed data and navigation — a high-sensitivity capability that must be justified and limited. The mismatch between declared and actual env requirements is unexpected and should be corrected.
ℹ 持久化与权限
The 技能 does not 请求 always:true and is user-invocable; autonomous invocation is allowed by default. The script stores transient 状态 and screenshots under /tmp which is normal for this use case. Because the 代理 can invoke 技能s autonomously, a compromised or malicious CAMOFOX_URL could be abused at 运行time — but autonomous invocation alone is not a disqualifying issue.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.22026/4/21
- 为未将 camofox-remote 加入 PATH 的用户补充安装说明,包含使用所提供脚本设置 Bash 别名。 - 未检测到其他变更。
● 可疑
安装命令
点击复制官方npx clawhub@latest install camofox-browser-remote
镜像加速npx clawhub@latest install camofox-browser-remote --registry https://cn.longxiaskill.com
技能文档
通过 Camoufox 实现隐身浏览器自动化,通过 HTTP 驱动外部托管服务器,无需本地安装,不启动 Node 进程。
前置配置(必须)
``bash
export CAMOFOX_URL=http://172.17.0.1:9377 # 必须,无默认值
`
服务器由外部管理(Docker 容器、共享预发、CI)。本技能仅负责调用。Docker 网络细节见 references/docker.md。 若 PATH 找不到camofox-remote:用本技能附带的脚本设置别名。将替换为 SKILL.md 所在目录:`bash`
alias camofox-remote="bash /scripts/camofox-remote.sh"~/my-skills/camofox-browser-remote/SKILL.md
例:若 SKILL.md 位于,则使用~/my-skills/camofox-browser-remote。CAMOFOX_URL
信任警告: 所有命令——页面快照、截图、输入文本、访问历史——均通过 HTTP 发往。仅指向你拥有并控制的服务器;若访问含凭据或敏感数据的站点,勿用共享或第三方端点。
快速开始
`bash
camofox-remote open https://example.com # 新建标签并跳转
camofox-remote snapshot # 获取带 @refs 的页面元素
camofox-remote click @e1 # 点击元素
camofox-remote type @e2 "hello" # 输入文本
camofox-remote screenshot # 保存 PNG
camofox-remote close # 关闭标签
` 核心流程
跳转 —camofox-remote open快照 — 返回带@e1、@e2引用的可访问性树(体积比原始 HTML 小约 90%)- 交互 — 用引用执行点击、输入、滚动
- 重快照 — DOM 变化后引用失效,需重新获取
- 循环 — 服务器在命令间保持运行
`bash
camofox-remote open https://example.com/search
camofox-remote snapshot # @e1 [input] Search box @e2 [button] Submit
camofox-remote type @e1 "camoufox anti-detection"
camofox-remote click @e2
camofox-remote snapshot # 跳转后必须重快照
`
命令速览
| 类别 | 命令 |
|---|---|
| 服务器 | health, start(空操作,容器外部管理), stop(空操作) |
| 导航 | open , navigate , back, forward, refresh, scroll [down|up|left|right] |
| 页面状态 | snapshot, screenshot [path], tabs, links |
| 交互 | click @eN, type @eN "text" |
| 搜索 | search google "query"(13 条宏,见 references/macros.md) |
| 会话 | --session , close, close-all | 完整参考及 curl 等价命令:references/commands.md。
引用生命周期(关键)
引用(@e1、@e2)在 DOM 变化时失效。以下操作后务必重快照:
- 点击跳转链接/按钮
- 表单提交
- 动态内容加载(无限滚动、SPA 路由切换)
环境变量
| 变量 | 默认值 | 说明 |
|---|---|---|
| CAMOFOX_URL | 必填 | 远程基地址,如 http://172.17.0.1:9377,无默认值 |
| CAMOFOX_SESSION | default | 默认会话名(隔离 cookie/storage) |
| HTTPS_PROXY | (未设置) | 浏览器出口代理 | 何时用 camofox-browser-remote 而非 agent-browser
| 场景 | 工具 |
|---|---|
| 普通站点,无机器人检测 | agent-browser(更快) |
| 受 Cloudflare / Akamai 保护 | camofox-browser-remote |
| 拦截 Chromium 自动化的站点 | camofox-browser-remote |
| 需反指纹 | camofox-browser-remote |
| 需 iOS / 移动端模拟 | agent-browser |
| 需录屏 | agent-browser | 深度参考
| 文件 | 查阅时机 |
|---|---|
| references/docker.md | Docker 搭建、网络、compose 示例、CAMOFOX_URL 配置 |
| references/commands.md | 需精确参数、输出格式或 curl` 等价命令 |
| references/api-reference.md | 需调用封装未暴露的端点 |
| references/macros.md |