by 安全扫描
OpenClaw
安全
medium confidenceNULL
评估建议
This skill appears to do what it says: automate uploads via the agent-browser CLI. Before installing or running it, confirm that you have the agent-browser CLI and a suitable Python runtime available (the metadata does not declare those dependencies). Understand that the script will resolve environment variables and can access any local file path you provide — do not pass paths to sensitive files (credentials, private keys, personal documents). If you plan to let the agent run autonomously, be e...详细分析 ▾
⚠ 用途与能力
The SKILL.md and included Python script clearly expect and invoke the agent-browser CLI (and Python) to open pages and perform uploads, but the registry metadata lists no required binaries or install steps. A legitimate browser-file-upload skill would need to declare that agent-browser (and a Python runtime if using the script) must be present. This is a documentation/metadata omission rather than functionality mismatch.
✓ 指令范围
The runtime instructions and script stay within the stated purpose: they navigate to a URL, locate/click file input elements, and instruct agent-browser to upload a resolved local file path. The script resolves environment variables and workspace-relative paths for convenience. It does not contain network endpoints or logic that exfiltrates data to third-party servers beyond uploading to the target URL you supply (which is the intended behavior).
✓ 安装机制
This is an instruction-only skill with an included Python script; there is no install spec, no downloads, and nothing written to disk beyond the provided files. No high-risk install mechanism is present.
ℹ 凭证需求
The skill declares no required environment variables, but the script will read OPENCLAW_WORKSPACE (if present) and expands any environment variables referenced in file paths (e.g., ${HOME}, %USERPROFILE%). Also, the script checks local filesystem paths and can read any file you point it at — which is necessary for uploads but means sensitive local files could be uploaded if given as input. This behavior is proportionate to the stated purpose but worth awareness.
✓ 持久化与权限
The skill does not request persistent/always-on presence and does not modify other skills or system-wide configuration. Autonomous invocation is allowed by default (platform default), which is expected for an agent-invokable skill.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/27
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install browser-file-upload
镜像加速npx clawhub@latest install browser-file-upload --registry https://cn.longxiaskill.com