📦 OpenCLI Universal CLI Hub — 万能CLI中心
v1.0.0OpenCLI 是通用 CLI Hub,可把任意网站、Electron 应用或本地工具秒变命令行,内置 66+ 命令覆盖 Bilibili、Twitter、Reddit、小红书、GitHub 等平台,复用 Chrome 登录态,零 LLM 成本,输出稳定可预期。
1· 115·0 当前·0 累计
by 下载技能包
最后更新
2026/4/2
安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill is coherent with its purpose but uses sensitive capabilities. Before installing: (1) review the npm package source code and author (@jackwener) and prefer reproducible release artifacts or pinned versions; (2) verify the Browser Bridge extension release artifacts (release URL, checksums) and inspect requested extension permissions; (3) consider running the CLI and extension inside an isolated environment (VM/container) or test account, not against your primary Chrome profile or import...详细分析 ▾
ℹ 用途与能力
Name/description match the behavior: converting websites/Electron apps/local tools to CLI reasonably requires Node, a daemon, and a browser bridge. Requiring node and asking to install opencli via npm is proportionate to the stated purpose. However the description's claim of "Zero risk, Reuse Chrome login" downplays the real security implications of reusing browser auth and installing a browser extension.
⚠ 指令范围
The SKILL.md instructs installing a global npm package, loading a Browser Bridge extension into Chrome, reusing Chrome login state, using browser_navigate/browser_network_requests/browser_evaluate and intercept techniques, and running a local daemon (port 19825). Those steps expose browser cookies/auth and local services to the tool and to any code the npm package and extension execute. The skill does not explicitly constrain or document how credentials/cookies are handled, what is sent externally, or which endpoints the extension/daemon will contact — leaving room for exfiltration or overbroad data access.
ℹ 安装机制
No formal install spec in registry, but SKILL.md directs: npm install -g @jackwener/opencli@latest (public npm). Installing a global npm package and a browser extension is common for a CLI+bridge, but both run arbitrary code on the host and get privileged access (global binaries, extension privileges). The SKILL.md also says to download an extension from GitHub Releases (reasonable host) but provides no release URL or checksum to verify integrity.
⚠ 凭证需求
The skill declares no environment variables, but the runtime instructions require access to Chrome login/cookies and local daemon endpoints. Accessing browser authentication and cookies is sensitive and not represented in requires.env or required config paths. The SKILL.md also implies intercepting requests and using credentials:'include' — operations that can access and transmit sensitive tokens/headers.
⚠ 持久化与权限
The flow installs a global binary, a browser extension, and runs a local daemon — all persistent artifacts. While always:false (not force-enabled), the installed components have lasting presence and privileges (browser extension can persist and a daemon can listen on localhost). The skill does not document least-privilege, opt-in boundaries, or how to uninstall/limit access.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/2
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install opencli-yuzengbao
镜像加速npx clawhub@latest install opencli-yuzengbao --registry https://cn.longxiaskill.com