首页龙虾技能列表 › Lock Me In — 锁定我

Lock Me In — 锁定我

v1.2.0

锁定我工具。

0· 241·0 当前·0 累计
by @michaellod (MichaelLod)·MIT-0
下载技能包
License
MIT-0
最后更新
2026/4/13
安全扫描
VirusTotal
可疑
查看报告
OpenClaw
可疑
medium confidence
The skill's behavior broadly matches its stated purpose (remote interactive login + persistent sessions) but contains mismatches, anti-detection logic, and an unauthenticated public tunnel pattern that increase risk and deserve careful review before use.
评估建议
This skill does what it says (a remote headless-browser login tunnel that saves cookies/localStorage), but it has several caution points you should consider before installing or running it: - Registry metadata omits actual runtime requirements. SKILL.md and the script require Node.js, Playwright/Chromium, and cloudflared; ensure those are installed from official sources. - The script exposes an unauthenticated public tunnel URL (cloudflared). Treat any tunnel URL as extremely sensitive — do not...
详细分析 ▾
用途与能力
The skill claims to provide a remote browser login proxy and the included script implements that. However the registry metadata declared no requirements while SKILL.md and the script require Playwright/Chromium, cloudflared, and Node.js. The script also hard-codes an import path ('/app/node_modules/playwright-core') and probes Playwright caches and specific filesystem paths — these implementation details are plausible for the stated purpose but are not reflected in the registry metadata and look platform-specific.
指令范围
Runtime instructions and the script start a headless browser, expose a web UI, and create a temporary public cloudflared tunnel with no built-in authentication. SKILL.md tells the operator/agent to 'Send the tunnel URL to the user via their messaging channel.' Exposing an unauthenticated, short-lived public UI that accepts clicks/keyboard input and persists auth cookies is within the feature set but is a high-risk action scope (sensitive session data may be exposed if the URL leaks). The script also injects stealth/anti-detection scripts into pages — appropriate for automation but increases risk if abused.
安装机制
This is an instruction-only skill with one shipped script and no install spec. No external binary is downloaded by the skill itself. SKILL.md instructs how to install cloudflared (GitHub release URL) and Playwright via npx, which are conventional but will be performed manually by the operator.
凭证需求
The registry metadata listed no required env vars, but SKILL.md and the script use multiple environment variables (LOCK_ME_IN_SESSIONS_DIR, LOCK_ME_IN_CHROME_PATH, LOCK_ME_IN_PORT, OPENCLAW_PROXY_URL and in code LOCK_ME_IN_CLOUDFLARED). OPENCLAW_PROXY_URL or LOCK_ME_IN_CLOUDFLARED could carry credentials or control where traffic is proxied. The skill writes sensitive session state (storage.json containing cookies/localStorage) to disk; that is expected for the purpose but is highly sensitive and the skill does not provide enforced protection or encryption for those files.
持久化与权限
The skill does not request always:true and does not appear to modify other skills or system-wide configuration. It persists session files to a sessions directory (default /data/home/.browser-sessions), which is normal for its purpose but increases blast radius if the environment is shared. The platform-default ability for the agent to invoke the skill autonomously combined with saved authenticated sessions is worth caution.
scripts/browser-login.mjs:419
Shell command execution detected (child_process).
scripts/browser-login.mjs:69
Environment variable access combined with network send.
安全有层次,运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发,无需署名。

运行时依赖

无特殊依赖

版本

latestv1.2.02026/3/15

Mobile touch click fix, /eval and /click-text endpoints for JS elements (Google OAuth), SingletonLock auto-cleanup, crash-safe signal handlers, 1920x1080 viewport, persistent Chrome profile with stealth evasions

● 可疑

安装命令 点击复制

官方npx clawhub@latest install lock-me-in
镜像加速npx clawhub@latest install lock-me-in --registry https://cn.clawhub-mirror.com

技能文档

Remote browser login via temporary public URL. The user logs in visually; cookies persist for future automation.

如何 Works

  • Agent launches headless Chromium 带有 Playwright
  • web UI streams live screenshots 的 browser
  • Cloudflared creates temporary 公开 tunnel URL
  • 用户 opens 链接, clicks/types 到 log 在...中
  • 会话 (cookies + localStorage) saved 到 disk
  • Future Playwright sessions 加载 saved state

Quick 开始

# Start a login session
node /scripts/browser-login.mjs  
# Examples
node /scripts/browser-login.mjs https://linkedin.com/login linkedin
node /scripts/browser-login.mjs https://github.com/login github
node /scripts/browser-login.mjs https://mail.google.com gmail

Run in background with nohup, capture the tunnel URL from stdout: 

nohup node /scripts/browser-login.mjs   > /tmp/lock-me-in.log 2>&1 &
# Wait for URL:
grep -m1 'LOGIN URL' /tmp/lock-me-in.log

Send the tunnel URL to the user via their messaging channel.

Loading Saved Sessions

To use a saved session in Playwright automation:

import { chromium } from 'playwright-core';
const browser = await chromium.launch({ executablePath: CHROME_PATH, headless: true, args: ['--no-sandbox'] });
const context = await browser.newContext({
  storageState: '/data/home/.browser-sessions//storage.json'
});
const page = await context.newPage();
await page.goto('https://linkedin.com/feed'); // Already logged in!

会话 Storage

Sessions persist at /data/home/.browser-sessions//:

  • storage.json — Cookies + localStorage (Playwright 格式)
  • meta.json — 会话 metadata (最后的 URL, 时间戳, Cookie 计数)

List saved sessions: ls /data/home/.browser-sessions/

Configuration

Environment variables:

  • LOCK_ME_IN_SESSIONS_DIR — Override sessions dir (默认: /data/home/.browser-sessions)
  • LOCK_ME_IN_CHROME_PATH — Override Chrome path (auto-detected 从 Playwright)
  • LOCK_ME_IN_PORT — Override local proxy port (默认: 18850)
  • OPENCLAW_PROXY_URL — HTTP proxy 对于 browser traffic (auto-parsed 对于 auth)

Script flags:

  • --port=N — Local proxy port
  • --超时=N — Auto-关闭 之后 N seconds (默认: 900 = 15 min)

Requirements

  • Playwright-compatible Chromium (installed 通过 npx playwright install chromium)
  • cloudflared binary 对于 tunneling (install: curl -sL https://github.com/cloudflare/cloudflared/releases/latest/下载/cloudflared-linux-amd64 -o /usr/local/bin/cloudflared && chmod +x /usr/local/bin/cloudflared)
  • 节点.js 18+

Web UI Controls

  • Click 在...上 screenshot 到 click position
  • 发送 types text 进入 focused 元素
  • 标签页 / Enter 对于 keyboard 导航
  • ← Back browser back 按钮
  • ↓ Scroll scroll down
  • Navigate go 到 specific URL
  • 💾 保存 persist 会话 没有 closing
  • ✅ 已完成 保存 和 关闭 everything

Security Notes

  • Tunnel URLs random 和 short-lived (有效 仅 当...时 process runs)
  • 否 authentication 在...上 tunnel 由 默认 — 分享 URL 仅 带有 intended 用户
  • Sessions contain auth cookies — treat storage.json 作为 sensitive
  • Auto-closes 之后 15 minutes 由 默认 到 limit exposure
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制

免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制

了解定制服务