Neo — Web App API Discovery

v2.0.0-skill.6

Browse websites, read web pages, interact with web apps, call website APIs, and automate web tasks. Use Neo when: user asks to check a website, read a web pa...

⭐ 0· 511·2 current·2 all-time

by傅洋@4ier

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

Name/description align with the commands in SKILL.md: browsing, schema discovery, UI automation and API calls. Requiring a 'neo' binary and offering an npm install for @4ier/neo is coherent for this functionality. However, the skill's actions involve direct access to the user's Chrome profiles, open tabs, network captures, and cookies, yet the metadata lists no required config paths or credentials to reflect this — an omission that should have been declared explicitly (e.g., access to browser profile data).

Instruction Scope

SKILL.md instructs the agent to list Chrome profiles/emails, open tabs, capture CDP network traffic, export/import cookies to files, and replay captured calls. These actions can read sensitive session data and auth cookies and persist them to disk. While all are plausible needs for a browser-automation tool, they broaden the data the agent can access (browser state, cookies, saved credentials and network traffic). The instructions do not limit where exported files go nor explicitly warn about sensitive data handling beyond a few terse rules, which grants broad discretionary access.

ℹ

Install Mechanism

The install uses an npm package (@4ier/neo) that creates the 'neo' binary — this is an expected delivery method for a CLI. npm packages run code at install and publish arbitrary binaries, so installing a package carries execution risk. The package source or provenance is not provided here (owner unknown in registry metadata), which increases the operational risk compared to a vetted system package or well-known GitHub release.

Credentials

No environment variables or config paths are declared, yet the tool operates against local Chrome profiles, enumerates profile emails, and exports cookies. That means the skill implicitly requires access to local browser state and file system storage for cookie export/import — sensitive capabilities that are not reflected in the declared requirements. Absence of declared access to browser profile data is a mismatch and reduces transparency about what will be accessed.

ℹ

Persistence & Privilege

The skill is not marked always:true and doesn't request elevated platform privileges. It does provide commands to persist login sessions (cookies export/import) and to set a default profile (neo profile use), which means it can create persistent state on disk or in its own config. Autonomous invocation is allowed by default; combined with cookie/profile access, that increases the potential blast radius, but autonomous invocation alone is not a decisive red flag.

What to consider before installing

This skill behaves like a local browser automation tool and will read browser profiles, open tabs, network captures, and cookies — data that can include active login sessions. Before installing: (1) Review the npm package source and recent version history for @4ier/neo (inspect its repository, maintainers, and any postinstall scripts). (2) Prefer installing/using it in a sandbox or on a throwaway Chrome profile, not your primary profile. Create a dedicated Chrome profile for Neo and avoid 'Default'. (3) Do not use the cookies export/import commands with sensitive accounts unless you understand where the exported file is stored and that it will be protected. (4) Consider running 'neo doctor' and other commands manually yourself first to observe behavior. (5) If you need to allow the agent to run this skill autonomously, limit its scope (disable autonomous invocation for sensitive tasks) and avoid granting access to real profiles or high-value accounts.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binsneo

Install

Install Neo CLI (npm)

Bins: neo

npm i -g @4ier/neo

latestvk97c1g455ynhxs2y53pwtb3zg583des9

511downloads

0stars

11versions

Updated 3h ago

v2.0.0-skill.6

MIT-0

Neo 2.0 — Web App API Discovery & Browser Automation

Neo turns any website into an AI-callable API. Zero extensions required — pure CDP.

⚠️ MANDATORY FIRST STEP

neo doctor

All ✓ → proceed
Chrome CDP ✗ → neo start (launches Chrome with correct profile + CDP)
Still ✗ → ask the user, then STOP. Don't loop.

Critical Rules

NEVER start Chrome manually — always neo start
NEVER copy Chrome profiles — login sessions live in the real profile
NEVER pkill chrome — user may have important tabs open
If stuck → tell user, STOP. Don't retry in a loop.

Workflows

Read a web page

neo doctor
neo read example.com          # Extract readable text from any open tab
# If page isn't open:
neo open https://example.com
neo read example.com

Call a website's API (fast path)

neo doctor
neo schema show x.com                   # Check existing API knowledge
neo api x.com HomeTimeline              # Call it (auto-auth from browser)
neo api x.com CreateTweet --body '{"variables":{"tweet_text":"hello"}}'

Discover APIs for a new website

neo doctor
neo open https://example.com            # Open in Chrome
# Browse around to generate traffic
neo capture list example.com --limit 20
neo schema generate example.com
neo api example.com <keyword>

UI automation (click/fill/type — when no API exists)

neo doctor
neo snapshot                  # Get a11y tree with compact ref IDs
neo click 14                  # Click element by ref number
neo fill 7 "search query"    # Clear + fill input
neo type 7 "text"             # Append text
neo press Enter
neo scroll down 500
neo screenshot

Refs are compact integers: [0] button "Sign in", [1] input "Search". Use neo click 0, neo fill 1 "query" etc. Legacy @e5 and [5] formats also work.

Cookie management

neo cookies list                        # All cookies for active page
neo cookies list github.com             # Filter by domain
neo cookies export github.com cookies.json  # Save to file
neo cookies import cookies.json         # Restore cookies
neo cookies clear github.com            # Delete by domain
neo cookies clear                       # Delete all

Use export + import to persist login sessions across browser restarts.

Profile management

neo profile list              # Discover all Chrome profiles + emails
neo profile use "Default"     # Set default profile
neo start                     # Launches with selected profile

Clean up — close tabs when done

neo tabs
neo eval "window.close()" --tab example.com

Command Reference

# Page Reading & Interaction
neo open <url>                          # Open URL in Chrome
neo read <tab-pattern>                  # Extract readable text
neo eval "<js>" --tab <pattern>         # Run JS in page context
neo tabs [filter]                       # List open Chrome tabs

# UI Automation (compact refs: neo click 5, neo fill 3 "text")
neo snapshot [-i] [-C] [--json] [--diff]  # A11y tree with compact refs
neo click <ref> [--new-tab]             # Click element
neo fill <ref> "text"                   # Clear + fill input
neo type <ref> "text"                   # Append text to input
neo press <key>                         # Keyboard key (Ctrl+a, Enter, etc.)
neo hover <ref>                         # Hover
neo scroll <dir> [px] [--selector css]  # Scroll
neo select <ref> "value"               # Select dropdown
neo screenshot [path] [--full]          # Capture screenshot
neo get text <ref> | url | title        # Extract info
neo wait <ref> | --load | <ms>          # Wait for element/load/time

# Cookie Management
neo cookies list [domain]               # List cookies
neo cookies export [domain] [file]      # Export as JSON
neo cookies import <file>               # Import from JSON
neo cookies clear [domain]              # Clear cookies

# Profile Management
neo profile list                        # Discover Chrome profiles
neo profile use <name>                  # Set default profile

# Capture & Traffic (no extension needed — pure CDP)
neo status                              # Overview
neo capture start                       # Start CDP network capture
neo capture stop                        # Stop capture
neo capture list [domain] [--limit N]   # Recent captures
neo capture search <query>              # Search by URL pattern
neo capture domains                     # Domains with counts
neo capture detail <id>                 # Full capture details

# Schema (API Knowledge)
neo schema generate <domain>            # Generate from captures
neo schema show <domain>                # Human-readable
neo schema list                         # All cached schemas
neo schema search <query>               # Search endpoints

# API Execution
neo api <domain> <keyword> [--body '{}']  # Smart call (schema + auto-auth)
neo exec <url> [--method POST] [--body] [--tab pattern] [--auto-headers]
neo replay <id> [--tab pattern]         # Replay captured call

# Setup & Diagnostics
neo setup                               # First-time setup
neo start [--profile <name>]            # Launch Chrome with correct profile + CDP
neo doctor [--fix]                      # Health check (--fix to auto-repair)

Decision Tree

Want to interact with a website?
  │
  ├─ FIRST: neo doctor
  │   ├─ All ✓ → continue
  │   ├─ Chrome ✗ → neo start → retry
  │   └─ Still ✗ → ask user, STOP
  │
  ├─ Just read content? → neo read <domain>
  │
  ├─ Need to call an API?
  │   ├─ neo schema show <domain> → exists? → neo api
  │   └─ No schema? → neo open → browse → neo schema generate → neo api
  │
  ├─ Need to click/fill/type?
  │   └─ neo snapshot → neo click 5 / neo fill 3 "text"
  │
  ├─ Need to manage cookies/sessions?
  │   └─ neo cookies list/export/import/clear
  │
  └─ Done? → neo eval "window.close()" --tab <domain>

Key Principles

neo doctor first, always.
API > UI automation. If schema has it, use neo api. Don't snapshot+click.
Auth is automatic. API calls inherit browser cookies/session/CSRF.
Close tabs after use. Every neo open creates a new tab.
If stuck, stop. Don't loop on Chrome startup. Ask the user.

Comments

Loading comments...