📦 Web Browser — 云端浏览器自动化
v1.0.0通过 Apify 云浏览器平台,用 REST API 自动化完成表单填写、网页抓取与 UI 测试等任务,无需本地浏览器环境。
0· 209·2 当前·2 累计
by 下载技能包
最后更新
2026/4/3
安全扫描
OpenClaw
可疑
medium confidenceSKILL.md 明确指示 agent 使用个人 API Token 调用 Apify 并传输网页/自动化代码,但技能元数据未声明任何所需凭证或配置——这一不匹配以及第三方网络调用将数据发送至 Apify 的情况令人担忧。
评估建议
安装前须知:1) 理解 SKILL.md 需要 Apify Personal API Token (AUTOMATION_TOKEN),即使元数据未声明——该令牌可 API 级访问你的 Apify 账户。2) 自动化运行会把页面内容、pageFunction 代码和 URL 发送至 Apify,除非完全信任 Apify 及所用 actor,否则不要让技能处理含 PII、凭据或其他机密的页面。3) 建议新建独立 Apify 账户并创建可撤销的最低权限令牌用于测试。4) 要求技能作者更新元数据,列出所需环境变量并说明将调用哪些 actor 及发送/存储哪些数据。5) 若想降低风险,仅允许用户触发操作(禁用自主运行)并先用假数据测试。...详细分析 ▾
ℹ 用途与能力
The declared purpose (browser automation via a cloud platform) matches the SKILL.md content: it explains how to call Apify's REST API and which actors to use. However, the skill metadata lists no primary credential or required env vars even though the instructions explicitly require a Personal API Token (AUTOMATION_TOKEN). That omission is an inconsistency between purpose and declared requirements.
⚠ 指令范围
The instructions tell the agent to construct and POST arbitrary actor runs (including pageFunction code) and to read process.env.AUTOMATION_TOKEN. That means the agent will transmit URLs, pageFunction code and scraped page content to Apify for execution and storage. The SKILL.md does not limit what data may be sent (potential PII or secrets) and gives the agent discretion to pick actors and build requests, which broadens operational scope.
✓ 安装机制
This is an instruction-only skill with no install spec and no code files — the skill does not write or execute code on disk. That minimizes install-time risk.
⚠ 凭证需求
Although requesting an Apify API token is proportionate to the stated purpose, the skill metadata failed to declare any required env var or primary credential. The SKILL.md explicitly tells users to export AUTOMATION_TOKEN, which gives the skill full API access to the user's Apify account; that omission in metadata is a red flag for transparency and least-privilege.
✓ 持久化与权限
always is false and the skill is user-invocable; it does not request permanent presence or modifications to other skills or system-wide settings. Autonomous invocation is permitted (default), which is normal, but combined with the environment/permission concerns it increases potential blast radius.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/3
网页浏览器自动化技能初始发布。 - 通过 Apify REST API 自动化表单填写、抓取与 UI 测试等浏览器任务。 - 用自然语言任务提示自动选择最适合的自动化 actor 工作流。 - 简单设置:只需将 Apify API 令牌添加为环境变量。 - 附带代码示例与快速 API 参考,用于运行任务并获取结果。 - 列出常用 Puppeteer、Playwright、抓取与静态 HTML 提取 actor。 - 提供技巧与需求章节,确保自动化顺畅并便于故障排查。
● 无害
安装命令
点击复制官方npx clawhub@latest install web-browser
镜像加速npx clawhub@latest install web-browser --registry https://cn.longxiaskill.com