by 安全扫描
OpenClaw
可疑
medium confidenceThe package is largely coherent with its stated purpose (OK.com browser automation) but includes a local browser extension, a local WebSocket bridge, cookie persistence, and stealth automation tooling — all of which raise privacy/operational concerns that you should understand before installing.
评估建议
This skill appears to implement what it claims (browser automation for OK.com) but it requires installing/using a local browser extension and will persist session cookies to a .cookies directory in the project. Before installing or running: 1) Inspect the extension files (manifest.json and background/content scripts) to confirm there are no remote exfiltration endpoints or broad permissions beyond OK.com. 2) Be aware cookies saved under .cookies can contain session tokens — treat them as sensiti...详细分析 ▾
✓ 用途与能力
The name/description (OK.com automation) matches the included files: CLI shims, browser bridge server, Playwright client, many page-scraping modules, login/cookies handling, and a Chrome extension. These artifacts are expected for a browser-automation skill. Minor inconsistencies: pyproject declares an entrypoint 'ok.cli:main' while code lives under scripts/ok and the SKILL.md also references running 'python scripts/cli.py' — the project appears intended to be runnable either as a local script or via the 'uv' project runner.
⚠ 指令范围
Runtime instructions direct the agent to run local CLI commands (uv run, uv sync, playwright install) and to use either a browser extension bridge or Playwright headless browsing. The skill instructs saving/loading cookies to a .cookies folder and to run a local WebSocket bridge (listening on localhost:9334). Those behaviors go beyond simple read-only scraping: they can access/modify browser state (cookies, DOM, login flow), and require the user to install a browser extension that will interact with pages. The SKILL.md does communicate some safety constraints (e.g., do not autofill passwords from history) but the agent will have capability to read and persist session cookies and to perform actions (delete/edit posts) that require authentication.
ℹ 安装机制
There is no remote download/install spec in the skill metadata (it's instruction/code bundled). The pyproject lists dependencies (playwright, websockets, playwright-stealth). Installing Playwright will download browser binaries (explicitly requested in instructions). No suspicious external download URLs are present in the provided files, but heavy dependencies (playwright, stealth) will be installed and browsers downloaded by the user when following the instructions.
⚠ 凭证需求
The skill does not request environment variables or external credentials in metadata, which is consistent. However, it persists cookies to disk (project-root .cookies/*.json) and can accept user-supplied credentials via CLI for login flows (passwords are used in-process; SKILL.md says not to persist them). The presence of a browser extension (background/content scripts) means the extension will have access to page content and potentially to the user's browsing session for the OK.com domain. These are legitimate for the stated purpose but sensitive — storing cookies/session data and installing an extension are proportional to the task but carry privacy risk.
✓ 持久化与权限
always:false and normal agent invocation; the skill does not demand force-inclusion. It does create persistent artifacts in the project directory (.cookies) and instructs installing a browser extension (user action). Running a local WebSocket bridge (localhost:9334) is expected for the bridge-mode design; it binds to localhost in code, limiting exposure to the local machine.
安全有层次,运行前请审查代码。
运行时依赖
🖥️ OSmacOS · Linux
版本
latestv0.0.12026/4/21
- Initial release of the OK.com automation skill collection. - Supports multi-country/city/language switching, post search, category browsing, detail retrieval, favorites management, and personal post management. - Unified CLI operations using uv and ok-cli, with detailed execution and input routing rules. - Two operation modes: Bridge (with Chrome extension) and Playwright (headless browser fallback). - Comprehensive input intent parsing and strict routing to sub-skills based on user requests. - Structured JSON output for all CLI operations and enforced execution constraints.
● 可疑
安装命令
点击复制官方npx clawhub@latest install ok-core-skills
镜像加速npx clawhub@latest install ok-core-skills --registry https://cn.longxiaskill.com镜像同步中