by 安全扫描
OpenClaw
可疑
high confidenceNULL
评估建议
What to consider before installing:
- The files included do NOT implement the advertised stealth browser; they only implement an early-access registration and status tool. The marketing claims (undetectable automation, fingerprinting, residential routing, system-level locks) are not present in the code you were given — treat the published description as promotional rather than functional.
- setup.sh will create a Python virtual environment, pip-install requests and python-dotenv, write a config ...详细分析 ▾
⚠ 用途与能力
SKILL.md and the description promise a sophisticated stealth browser (WindMouse physics, fingerprinting, residential routing, system-level access control). The shipped files (phantom_browser.py + setup.sh) contain only an early-access registration/status tool and dependency bootstrap — no code implements the claimed browser automation or proxy/fingerprinting features. That is a substantive mismatch between what is advertised and what is delivered.
ℹ 指令范围
Runtime instructions direct users to run setup.sh, create a venv, install dependencies, save a config to ~/.phantom-browser/config.json and a local .env, and POST the user's email and chosen use_case to https://clawagents.dev/reddit-rank/v1/phantom-browser/interest. Those actions are coherent for an early-access registration flow, but SKILL.md's broad claims about stealth behavior are not realized in the instructions — instructions do transmit minimal personal data (email + use_case) to an external service.
✓ 安装机制
No platform install spec is declared; setup.sh creates a Python venv and pip-installs small dependencies (requests, python-dotenv) from PyPI. This is a typical, moderate-risk install mechanism (no arbitrary binary downloads or obscure hosts).
✓ 凭证需求
The skill does not request environment variables, special credentials, or access to unrelated config paths. It writes/reads a local config at ~/.phantom-browser/config.json and creates a .env with an install id — these are proportionate to a waitlist/registration flow. The only external data transmitted is the email and selected use_case collected interactively.
ℹ 持久化与权限
always is false and the skill does not request system‑wide privileges. It does create a per-user directory (~/.phantom-browser) and a venv in the skill directory; that is expected. The SKILL.md claim of 'system-level access control' is not implemented in the provided code, which is an inconsistency worth noting.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.1.12026/3/24
NULL
● Pending
安装命令
点击复制官方npx clawhub@latest install ad-forge
镜像加速npx clawhub@latest install ad-forge --registry https://cn.longxiaskill.com