Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Captcha Relay
v2.1.0Human-in-the-loop CAPTCHA solving with two modes: screenshot (default, zero infrastructure) and token relay (requires network access). Screenshot mode captur...
⭐ 0· 662·4 current·4 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (screenshot and token relay) align with the code and docs. The package implements CDP-based screenshots/injection, a local HTTP relay server, templates to render real widgets, and tunneling options (localtunnel/cloudflared/Tailscale). Required binaries/libraries (Node, Chrome with --remote-debugging-port, ws, sharp) are coherent with the stated capabilities. Nothing in the code requests unrelated credentials or unexpected platform access.
Instruction Scope
SKILL.md and the included docs describe sending annotated screenshots or a relay URL to a human via messaging and then injecting clicks/tokens into the automated browser. The relay server writes received tokens to a predictable file (/tmp/captcha-relay-token.txt) and serves an HTTP endpoint on 0.0.0.0; both are deliberate design choices but worth noting. TAILSCALE.md and ARCHITECTURE.md include instructions to run remote install helpers (e.g. curl|sh for Tailscale) and to use npx localtunnel — these are manual steps the user would run and are documented. The instructions do not ask the agent to read unrelated system files or secrets.
Install Mechanism
There is no platform install spec in the registry (instruction-only), but the package contains code and expects 'npm install' (deps: ws, sharp). The code may rely at runtime on 'npx localtunnel' (which downloads a package on demand) or on a system cloudflared binary; using npx/localtunnel/cloudflared is a moderate-risk, expected choice for tunneling but does fetch/execute code from registries or binaries at runtime. No downloads from unfamiliar personal servers are embedded in the code itself.
Credentials
The skill does not request environment variables, secret tokens, or unrelated credentials. Tailscale usage requires the user to authenticate their Tailscale client separately (documented). The code writes tokens to /tmp for convenience; this is proportional to the relay purpose but may be sensitive in shared environments.
Persistence & Privilege
The skill does not request 'always: true' and is user-invocable only. It starts local HTTP servers and (optionally) public tunnels and can stream a browser tab and accept remote input — capabilities necessary for the feature but high-privilege in practice (a remote human can view and interact with the automated browser/tab). It does not modify other skills or global agent settings.
Assessment
This package appears internally consistent with its purpose, but it carries expected risks you should consider before using:
- Functional risks: relay mode opens an HTTP server (0.0.0.0) and can create a public tunnel (localtunnel/cloudflared) or rely on your Tailscale network — anyone who can reach the relay URL or Tailscale IP can view and interact with your browser tab. Treat relay URLs as sensitive and prefer Tailscale/LAN over public tunnels when possible.
- Sensitive data: solved tokens are written to /tmp/captcha-relay-token.txt and may be logged; running on a shared host could leak tokens or page contents. Clean /tmp after use and avoid running on machines with sensitive logged-in sessions.
- Remote code fetch: tunnel mode may run 'npx localtunnel' at runtime (fetches packages) and the Tailscale docs instruct using the official install script (curl | sh). Only run those commands if you trust the sources and understand the installation implications.
- Least privilege: if you only need the screenshot fallback, use screenshot mode (no network exposure). When using relay mode, use --no-inject if you want to receive the token but not have it automatically injected, and set sensible timeouts. Run the tool in an isolated/testing VM for initial evaluation.
- Code review: if you have strict security requirements, review tunnel.js and any code paths that spawn subprocesses, and consider running with limited network access / non-root user.
If you accept those trade-offs, the skill is coherent and does what it claims; otherwise treat relay mode as a high-privilege feature and restrict its use.Like a lobster shell, security has layers — review code before you run it.
latestvk974n07hhq34jfkvtjrc45nt3s81s60b
License
MIT-0
Free to use, modify, and redistribute. No attribution required.