📦 Stealth Browser — 技能工具

v1.0.0

[自动翻译] Access websites with advanced bot protection to fetch HTML, screenshots, PDFs, or multiple pages in parallel using isolated browser contexts.

0· 603·0 当前·0 累计

by @xthezealot (The Zealot)·MIT-0

浏览器自动化文件处理网络工具智能体开发工具

下载技能包

License

MIT-0

最后更新

2026/4/11

安全扫描

VirusTotal

可疑

查看报告

OpenClaw

可疑

medium confidence

The skill largely matches its stated purpose (stealthy headless browsing) but includes risky behaviors (auto-installing npm deps, spawning child processes with unescaped user input, running Chromium with --no-sandbox and writing files in /tmp) that warrant caution before installation.

评估建议

This skill appears to do what it claims (stealth browsing), but there are a few practical risks you should weigh before installing: - Command-injection risk: The skill constructs shell commands by inserting user-provided URLs/arguments directly into execSync calls. If untrusted input reaches those args, it could be abused to run arbitrary shell commands. Ask the author to properly escape/avoid shell interpolation or run the child process with execFile/spawn and argument arrays. - Auto-install s...

详细分析 ▾

✓ 用途与能力

Name, README, SKILL.md, package.json and code all consistently implement a headless browser that tries to evade bot-detection (playwright-extra + stealth plugin). Requesting no env vars and no exotic system access is coherent; it does expect a system Chromium at /usr/bin/chromium as documented.

⚠ 指令范围

Runtime code (index.js -> execSync -> stealth-browser.js) executes arbitrary navigation to URLs provided by users and writes screenshots/PDFs to /tmp. The runBrowser command constructs a shell command by interpolating args directly into execSync without escaping — this creates a risk of shell/command injection if input is not strictly validated. The onLoad hook will also run 'npm install' in the skill directory, which is an automatic side-effect not described in SKILL.md.

ℹ 安装机制

There's no declared install spec, but index.js's onLoad automatically runs 'npm install' if node_modules is missing. That will download and install many dependencies from the public npm registry (package-lock.json lists many packages). Using npm is expected here, but automatic installation at skill load time increases risk because new code is fetched/executed in the agent environment without an explicit install step.

✓ 凭证需求

The skill declares no required environment variables or credentials and the code doesn't access external credentials. It does require network access to fetch target websites and filesystem write access to /tmp for screenshots/PDFs; those are proportional to its stated functionality.

✓ 持久化与权限

always is false and the skill does not request system-wide settings or modify other skills. The onLoad npm install behavior gives it the ability to modify its own directory (create node_modules), which is typical for Node-based skills but worth noting.

安全有层次，运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发，无需署名。

查看条款 ↗

运行时依赖

无特殊依赖

版本

latestv1.0.02026/2/20

Initial release

● 可疑

安装命令

点击复制

官方npx clawhub@latest install xthezealot-stealth-browser

镜像加速npx clawhub@latest install xthezealot-stealth-browser --registry https://cn.longxiaskill.com镜像同步中

需要定制？告诉我你的需求 →

技能文档

Use /stealth-browser to access websites with advanced bot protection.

Commands

/stealth-browser open - Fetch page HTML
/stealth-browser screenshot - Take full-page screenshot
/stealth-browser pdf - Save page as PDF
/stealth-browser parallel [url3...] - Fetch multiple URLs in parallel

Examples

/stealth-browser open https://www.bazaraki.com/adv/6203561_2-bedroom-detached-house-for-sale/
/stealth-browser screenshot https://example.com
/stealth-browser pdf https://example.com
/stealth-browser parallel https://site1.com https://site2.com https://site3.com

Parallel Browsing

The parallel command fetches multiple URLs simultaneously using isolated browser contexts:

Each URL gets its own isolated context (cookies, storage, etc.)
Much faster than sequential fetching
Results returned as formatted JSON

How It Works

Uses Playwright Extra with Stealth Plugin to mask automation signatures:

Removes navigator.webdriver flag
Spoofs Chrome plugins and permissions
Fakes WebGL/Canvas fingerprints
Mimics real user behavior

Bypasses Cloudflare, reCAPTCHA, and most bot detection.

数据来源：ClawHub ↗ · 中文优化：龙虾技能库