Captcha Relay
WarnAudited by ClawScan on May 10, 2026.
Overview
Captcha Relay mostly matches its stated CAPTCHA-solving purpose, but it can expose and control an active Chrome session through broad, unauthenticated relay paths.
Install only if you are comfortable granting the skill CDP control over a Chrome session. Prefer a dedicated disposable browser profile, avoid public tunnels unless necessary, use authenticated Tailscale/ACLs or one-time secrets, share screenshots only with trusted humans, and review the browser-relay and npx localtunnel behavior before use.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A CAPTCHA token or callback could be injected into the wrong active browser tab, including a logged-in account session.
The skill injects into the first non-chrome browser target it finds over CDP, rather than a user-confirmed tab or domain.
const target = targets.find(t => !t.url.startsWith('chrome://')) || targets[0]; ... expression: scriptFn(token)Use a dedicated disposable Chrome profile, require an explicit targetId or URL allowlist, and show/confirm the target page before injection.
Anyone who can reach that relay could potentially see and operate the Chrome tab, not just solve a CAPTCHA.
The browser relay listens on all interfaces and forwards WebSocket messages into CDP mouse/keyboard input without an authentication check shown in the artifact.
host = '0.0.0.0' ... const wss = new WebSocket.Server({ server }); ... ws.on('message', async (raw) => { ... await handleInput(cdp, msg, viewportWidth, viewportHeight); });Remove or clearly separate this helper, bind it to localhost by default, require a one-time secret or authenticated Tailscale identity, and prompt before accepting remote control.
If the relay URL is leaked or reachable by an unintended party, they could submit a token into the workflow; the token is also left where local processes may read it.
The token relay is network-exposed, allows any origin, accepts a posted token, stores it in a predictable temp file, and resolves the automation flow without verifying the sender.
server.listen(0, '0.0.0.0' ... 'Access-Control-Allow-Origin': '*' ... fs.writeFileSync(tokenFile, token); tokenResolve(token);
Use a random per-session secret path or token, restrict origins where possible, avoid public tunnels by default, clean up the temp token file, and require confirmation before browser injection.
A trusted human or messaging provider may see the CAPTCHA image and possibly surrounding page context.
Sending CAPTCHA screenshots to a human over a messaging channel is central to screenshot mode, but it can expose page content outside the local browser.
Grid overlay screenshot → send image to human via Telegram → human replies with cell numbers → inject clicks.
Use only trusted recipients/channels, crop to the CAPTCHA where possible, and avoid using this on pages with sensitive visible information.
Using relay mode may depend on third-party tunnel package behavior and availability.
Relay mode can launch localtunnel through npx, which may download or execute package code at runtime; this is disclosed and purpose-aligned, but provenance is not pinned in the command.
const proc = spawn('npx', ['localtunnel', '--port', String(localPort)], {Pin and vendor the tunnel dependency where possible, or prefer a preconfigured trusted tunnel such as Tailscale with ACLs.
A user could copy or share an incorrect private-network URL and misunderstand what endpoint is exposed.
The CLI prints a specific hard-coded Tailscale IP rather than detecting the user's actual Tailscale address.
console.log(` Tailscale: http://100.117.26.44:${relay.port}\n`);Detect the local Tailscale IP dynamically or omit this line unless the address is user-configured.