📦 Bits Browser Automation — 浏览器自动化
v1.0.0通过 Bits MCP 服务器控制浏览器自动化代理,可执行网页抓取、表单填写、数据提取等任务,支持网站导航、元素点击、表单填充、OAuth 流程处理与结构化数据提取。
0· 2.1k·0 当前·0 累计
by 下载技能包
最后更新
2026/4/22
安全扫描
OpenClaw
可疑
medium confidenceThe skill's instructions align with a browser-automation integration, but metadata omissions and the instruction to fetch/run a remote npm MCP package plus an undeclared API key create notable inconsistencies and data-exfiltration risk.
评估建议
Summary of what to check before installing:
- Verify the service and package: confirm app.usebits.com is the legitimate Bits service and inspect the npm package 'usebits-mcp' (owner, version, recent activity, tarball contents) before running npx. Prefer a pinned version and checksum rather than blind 'npx -y'.
- Expect remote execution and data transfer: browser automation will send page contents and form values to the Bits service/sandbox. Do not automate pages that contain secrets or highly s...详细分析 ▾
ℹ 用途与能力
The SKILL.md describes a browser-automation MCP integration (navigate, click, fill forms, handle OAuth/2FA) which matches the skill name and description. However the registry metadata lists no source/homepage and declares no required env vars while the runtime instructions explicitly require a BITS_API_KEY and editing the agent MCP config. The missing metadata (source/homepage) and undeclared API key are inconsistent with the stated purpose.
⚠ 指令范围
The instructions tell the agent/operator to obtain an API key from app.usebits.com and add it as BITS_API_KEY to the MCP config (~/.openclaw/openclaw.json or ~/.claude.json). They also direct the agent to use an npx-installed 'usebits-mcp' package to run TypeScript in Bits' sandbox. This gives a remote service the ability to execute automation against websites and receive page contents (including any credentials or PII encountered), which is functionally necessary for browser automation but is a broad scope that should be explicit in metadata and trust decisions. The SKILL.md does not explicitly call out privacy/exfiltration risks of sending page content to Bits.
ℹ 安装机制
There is no formal install spec, but the runtime steps rely on 'npx -y usebits-mcp' which will download and execute code from the npm registry at first run. This is a common pattern but has higher risk than pure instruction-only skills because arbitrary remote code can be pulled and executed. The absence of a pinned package version, checksum, or authoritative source/homepage increases the risk.
⚠ 凭证需求
The skill metadata declares no required environment variables, yet SKILL.md instructs adding BITS_API_KEY (starts with 'bb_') to the MCP server env. That mismatch is a clear inconsistency. Additionally, the feature set mentions handling OAuth and stored credentials — implying user credentials or sensitive tokens may be uploaded/stored on the Bits platform. These credential flows are plausible for the described capability but deserve explicit declaration and justification in the metadata.
ℹ 持久化与权限
always:false (normal) and no requests to modify other skills are present. The instructions do require writing an MCP config entry (~/.openclaw/openclaw.json or ~/.claude.json), which is expected for adding a new MCP server. This is normal but the user should consciously permit editing their agent configuration.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/2/2
- Initial release of Bits MCP skill for browser automation. - Enables web scraping, form filling, data extraction, and browser-based automation via the Bits MCP server. - Provides setup instructions for API key creation and MCP server integration. - Supports TypeScript SDK execution in a sandboxed environment with code docs search. - Lists use cases: navigating sites, extracting data, reading pages, interacting with web elements, handling authentication, multi-window control, and structured JSON output. - Includes troubleshooting tips and workflow creation guidance.
● 可疑
安装命令
点击复制官方npx clawhub@latest install bits
镜像加速npx clawhub@latest install bits --registry https://cn.longxiaskill.com