by 安全扫描
OpenClaw
安全
medium confidenceThe skill's code, instructions, and requested resources are coherent with an anti-detection Playwright scraper — it requires npm/Playwright and downloads Chromium, and does not request unrelated credentials or hidden network callbacks; exercise caution because it installs browser binaries and implements evasion logic that can be misused.
评估建议
This package appears to be what it says: a Playwright-based stealth scraper. Before installing or running it, consider the following: (1) install in a controlled/sandbox environment (container or VM) because npm install and npx playwright install chromium will download and install packages and a browser binary to disk; (2) review the remainder of the stealth injection code (the SKILL listing was truncated) to ensure there are no unexpected network callbacks or telemetry; (3) be aware that finger...详细分析 ▾
✓ 用途与能力
Name/description (anti-bot Playwright scraper) match the included files and runtime behavior: scripts implement simple, stealth, and batch scraping, with UA/viewports/fingerprint tweaks and optional proxy/cookie input. There are no unrelated credentials, binaries, or config paths requested.
ℹ 指令范围
SKILL.md instructs the agent/user to run npm install, optionally run scripts/setup.js which itself may run npm install and npx playwright install chromium, and to execute the provided node scripts. The scripts read URL lists, accept proxy/cookie inputs, and write screenshots/HTML/JSON output to disk — all consistent with scraping functionality. One caveat: the provided stealth injection code (truncated in the package listing) modifies many browser-exposed APIs to evade detection; this is expected for the stated purpose but is also sensitive behavior (fingerprint evasion).
ℹ 安装机制
No platform install spec is present, but package.json and package-lock.json require npm install and the postinstall runs 'npx playwright install chromium' (plus scripts/setup.js also runs npm and npx). This will download packages and browser binaries (Playwright/Chromium) from registries/mirrors. This is expected for a Playwright-based tool but is a higher-risk install action than an instruction-only skill because it writes binaries to disk and runs lifecycle scripts.
✓ 凭证需求
The skill requests no environment variables or credentials. Command-line options accept proxy URLs and cookie JSON (user-supplied); that is appropriate for a scraper. There are no hidden env accesses in the visible code. No broad credential access or unrelated env vars are requested.
✓ 持久化与权限
Skill flags are default (always: false, user-invocable true) and it does not request permanent agent presence or modify other skills' configs. It does install local dependencies and browser binaries into the user's environment when npm install / npx playwright runs, which is normal for Playwright tools but should be run with user consent.
⚠ scripts/scraper-batch.js:101
Shell command execution detected (child_process).
⚠ scripts/setup.js:27
Shell command execution detected (child_process).
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/25
v1.0.0: 11 anti-detection techniques, batch mode, CSS selector, proxy support. Tested on Xiaohongshu.
● 无害
安装命令
点击复制官方npx clawhub@latest install anti-bot-scraper
镜像加速npx clawhub@latest install anti-bot-scraper --registry https://cn.longxiaskill.com