by 安全扫描
OpenClaw
可疑
high confidence该 skill 是 Camofox 服务器的一个连贯远程封装,但注册元数据漏填了必需的 CAMOFOX_URL 环境变量,且运行时指令会把所有页面内容(快照、截图、输入文本、导航)明文发往外部 HTTP 端点——因此你只能将其指向自己掌控的服务器,元数据不一致即为危险信号。
评估建议
Key things to consider before 安装ing: (1) The 技能.md requires CAMOFOX_URL but the registry metadata does not 列出 any required env vars — ask the publisher to correct that. (2) This 技能 will 发送 page snapshots, screenshots, typed text and navigation metadata to whatever CAMOFOX_URL you 设置 — only point it at a server you control/trust (运行 your own Camofox contAIner locally or in an isolated network). (3) Do not 设置 CAMOFOX_URL to a third‑party or unknown 端点 if you will interact with 凭证s, personal data, ...详细分析 ▾
⚠ 用途与能力
The 技能.md and included scripts clearly require a CAMOFOX_URL (and optionally CAMOFOX_会话 / HTTPS_PROXY), write 状态 to /tmp, and drive an external browser over HTTP. But the registry metadata 列出s no required 环境 variables or primary 凭证 — that is inconsistent. The code files and templates are consistent with the 状态d purpose (remote-mode browser 自动化), so the mAIn coherence problem is the missing CAMOFOX_URL declaration in the metadata.
⚠ 指令范围
运行time instructions and the script 发送 snapshots, screenshots, typed text, tab IDs and navigation 历史 to whatever CAMOFOX_URL is 设置 to (via curl). The 技能.md warns users to only point at a server they control, which is 应用ropriate, but this behavior means pointing CAMOFOX_URL at an attacker-controlled host would exfiltrate sensitive browsing data. The scripts also read/write local 状态 files (/tmp/camofox-状态 and /tmp/camofox-screenshots) and reference local paths in templates (e.g., $HOME/.claude/技能s...), which is expected for this 工具.
✓ 安装机制
There is no 安装 spec; the 技能 is instruction/script-based and 运行s local bash/python3/curl commands already present on the host. That is low-risk compared to 下载ing and executing remote 归档s. The bundle does include executable scripts and templates that will be 运行 locally if invoked.
⚠ 凭证需求
The 运行time requires CAMOFOX_URL (mandatory), CAMOFOX_会话 (optional) and optionally HTTPS_PROXY, but the registry metadata omitted these requirements. No cloud 凭证s are 请求ed (good), however the required CAMOFOX_URL grants the remote server full visibility into snapshots, screenshots, typed data and navigation — a high-sensitivity capability that must be justified and limited. The mismatch between declared and actual env requirements is unexpected and should be corrected.
ℹ 持久化与权限
The 技能 does not 请求 always:true and is user-invocable; autonomous invocation is allowed by default. The script stores transient 状态 and screenshots under /tmp which is normal for this use case. Because the 代理 can invoke 技能s autonomously, a compromised or malicious CAMOFOX_URL could be abused at 运行time — but autonomous invocation alone is not a disqualifying issue.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.22026/4/21
- 为未将 camofox-remote 加入 PATH 的用户补充了安装说明,包括使用所提供脚本设置 Bash 别名。 - 未检测到其他变更。
● 可疑
安装命令
点击复制官方npx clawhub@latest install camofox-browser-remote
镜像加速npx clawhub@latest install camofox-browser-remote --registry https://cn.longxiaskill.com镜像同步中
技能文档
通过 Camoufox 实现隐身浏览器自动化。通过 HTTP 驱动外部托管的服务器——无需安装,无本地 Node 进程。
必需配置
``bash
export CAMOFOX_URL=http://172.17.0.1:9377 # 必填,无默认值
`
服务器在外部运行(Docker 容器、共享测试环境、CI)。本技能仅负责驱动。Docker 网络细节见 references/docker.md。 若 PATH 中找不到camofox-remote:用本技能附带的脚本设置别名。将替换为 SKILL.md 所在目录:`bash`
alias camofox-remote="bash /scripts/camofox-remote.sh"~/my-skills/camofox-browser-remote/SKILL.md
例:若 SKILL.md 位于,则使用~/my-skills/camofox-browser-remote。CAMOFOX_URL
信任要求: 所有命令——页面快照、截图、输入文本、导航历史——均通过 HTTP 发送至。仅指向你拥有并控制的服务器。若将访问含凭据或敏感数据的站点,勿使用共享或第三方端点。
快速开始
`bash
camofox-remote open https://example.com # 新建标签并导航
camofox-remote snapshot # 获取带 @refs 的页面元素
camofox-remote click @e1 # 点击元素
camofox-remote type @e2 "hello" # 输入文本
camofox-remote screenshot # 保存 PNG
camofox-remote close # 关闭标签
` 核心流程
导航 —camofox-remote open快照 — 返回带@e1、@e2引用的可访问性树(比原始 HTML 小约 90%)- 交互 — 用引用执行点击、输入、滚动
- 重新快照 — DOM 变化后引用失效,需重新获取
- 循环 — 服务器在命令间保持运行
`bash
camofox-remote open https://example.com/search
camofox-remote snapshot # @e1 [input] 搜索框 @e2 [button] 提交
camofox-remote type @e1 "camoufox anti-detection"
camofox-remote click @e2
camofox-remote snapshot # 导航后必须重新快照
`
命令速览
| 类别 | 命令 |
|---|---|
| 服务器 | health, start(无操作——外部管理容器), stop(无操作——外部管理容器) |
| 导航 | open , navigate , back, forward, refresh, scroll [down\|up\|left\|right] |
| 页面状态 | snapshot, screenshot [path], tabs, links |
| 交互 | click @eN, type @eN "text" |
| 搜索 | search google "query"(13 条宏,见 references/macros.md) |
| 会话 | --session , close, close-all | 完整参考及 curl 等价命令:references/commands.md。
引用生命周期(关键)
引用(@e1、@e2)在 DOM 变化时失效。以下操作后务必重新快照:
- 点击链接/按钮导致导航
- 表单提交
- 动态内容加载(无限滚动、SPA 路由变化)
环境变量
| 变量 | 默认值 | 说明 |
|---|---|---|
| CAMOFOX_URL | 必填 | 远程基地址,如 http://172.17.0.1:9377。无默认值。 |
| CAMOFOX_SESSION | default | 默认会话名(隔离 cookie/storage) |
| HTTPS_PROXY | (未设置) | 浏览器出站代理 | 何时用 camofox-browser-remote 而非 agent-browser
| 场景 | 工具 |
|---|---|
| 普通网站,无机器人检测 | agent-browser(更快) |
| 受 Cloudflare / Akamai 保护 | camofox-browser-remote |
| 阻止 Chromium 自动化的站点 | camofox-browser-remote |
| 需要反指纹 | camofox-browser-remote |
| 需要 iOS / 移动模拟 | agent-browser |
| 需要视频录制 | agent-browser | 深入参考
| 文件 | 查看时机 |
|---|---|
| references/docker.md | Docker 搭建、网络、compose 示例、CAMOFOX_URL 配置 |
| references/commands.md | 需精确参数、输出格式或任意命令的 curl` 等价 |
| references/api-reference.md | 需调用封装器未暴露的端点 |
| references/macros.md |