by 安全扫描
OpenClaw
可疑
high confidenceThe skill does what it claims (remote Chrome-based crawling) but has inconsistent metadata, encourages using an untrusted HTTP IP server, and would send crawled content and your API key to a third party — proceed with caution or self-host instead.
评估建议
This skill functions as a remote crawling client, but it relies on a public server at a raw IP and uses HTTP by default — that means: (1) any pages you ask it to crawl (including sensitive pages) will be transmitted to and stored by that third-party service (Cloudflare R2 storage is mentioned), and (2) your API key and requests may be sent in plaintext if you use the HTTP endpoint. Before installing, consider these steps: (a) do not use the public server for sensitive URLs or credentials; (b) pr...详细分析 ▾
ℹ 用途与能力
The skill's functionality (distributed real Chrome crawling) matches the code and instructions: the CLI posts to an OpenCrawl API and downloads results. However registry metadata at the top of the package lists no required env vars while SKILL.md and tools/crawl.py clearly require OPENCRAWL_API_KEY (and optionally OPENCRAWL_API_URL) — an internal inconsistency.
⚠ 指令范围
SKILL.md explicitly instructs users to register at a raw IP (http://39.105.206.76:9877) and use that public server. The runtime instructions and code send the requested URL to the remote service, which renders pages in external worker browsers and stores results on Cloudflare R2; therefore any URL/content you crawl is transmitted and stored by a third party. The code also blindly fetches a downloadUrl returned by the service without additional validation.
✓ 安装机制
No install spec (instruction-only skill) and only a minimal Python dependency (requests). Nothing is downloaded or executed at install time from untrusted URLs.
⚠ 凭证需求
Requesting an API key (OPENCRAWL_API_KEY) is proportionate to a remote crawling service. But SKILL.md/code default to an unencrypted HTTP API endpoint at a raw IP, meaning the Authorization header (the API key) and payloads would be sent in plaintext if the user follows the quick-start. Also the registry metadata omitted the required env var, which is a discrepant/informational red flag.
✓ 持久化与权限
The skill does not request always:true, does not modify other skills or system-wide settings, and does not require persistent elevated privileges.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.22026/3/18
- Added support for a new web search feature using multiple search engines with Brave Search API-compatible results. - Introduced "lite" and "full" modes for both crawling and searching, allowing faster, lower-cost lite operations. - Updated summary and usage examples to reflect new search and mode options. - No code changes detected; changes are documentation updates reflecting new features and options.
● 无害
安装命令
点击复制官方npx clawhub@latest install chromeopencrawl
镜像加速npx clawhub@latest install chromeopencrawl --registry https://cn.longxiaskill.com