ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

auto-fill

通过 Chrome Debug 模式(CDP)读取当前页面的表单结构并自动填写。由用户显式调用(/auto-fill),不自动触发。用户负责导航和点击,Agent 负责识别字段、填写内容、截图确认。

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 52 · 0 current installs · 0 all-time installs
byfanzhuo@scottliu007
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to read forms via Chrome CDP and fill them — that aligns with requiring CDP access. However, the SKILL.md mandates starting a local Chrome process, editing ~/.cursor/mcp.json, and using npx/@playwright/mcp at runtime. Those actions go beyond only reading/filling forms and involve modifying user config and launching executables; users might not expect the agent to perform those system-level operations.
!
Instruction Scope
The instructions tell the agent to: curl localhost:9222, and if no response, directly run a nohup command to start Chrome in the background; infer target URLs and navigate without asking the user; edit ~/.cursor/mcp.json to add a tool configuration; and use npx to run @playwright/mcp. These are concrete, potentially intrusive actions (running shell commands, writing to a user config, autonomous URL inference/navigation) which expand the agent's scope beyond passive form-filling and could cause unexpected side effects or privacy exposure.
Install Mechanism
No formal install spec or code files are present (instruction-only), which is lower risk. However, the SKILL.md expects runtime use of npx to fetch @playwright/mcp and running the Chrome binary directly; both involve network fetches and executing local binaries even though no install metadata declares or constrains that behavior.
!
Credentials
The skill declares no environment variables or credentials, which is appropriate. But it explicitly instructs avoiding the sandbox browser and using a real Chrome via CDP — this can expose browser session state if misconfigured. It also asks to create/edit ~/.cursor/mcp.json, giving the skill write access to an agent config path. Those file/command-level accesses are disproportionate to a minimal read-and-fill description unless the user expects the agent to manage local tooling.
Persistence & Privilege
always is false (good). The skill advises adding a persistent entry to ~/.cursor/mcp.json to register the playwright-cdp tool — this modifies the agent/tooling configuration (its own scope), which can be reasonable but should be presented to users for consent. There is no request for system-wide or other-skills' config edits.
What to consider before installing
Before installing or invoking this skill, be aware it instructs the agent to run shell commands on your machine (it may start Chrome in the background), edit a config file (~/.cursor/mcp.json), and fetch/run code via npx. These actions can change your local environment and potentially access browser sessions or navigate to inferred websites without asking for explicit links. If you plan to use it: 1) only run on systems you control (avoid production machines); 2) require the agent to ask for explicit confirmation before starting Chrome, editing files, or navigating to any inferred URL; 3) verify the exact nohup/Chrome command for your OS and ensure it uses a safe user-data-dir (not your primary browser profile); 4) consider running the skill in a sandbox or VM and back up ~/.cursor/mcp.json first. If any of these behaviors are unacceptable, do not install/use the skill.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk975m0xc6n3mxjc8g79vkd7be9839bnn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

auto-fill

帮你填表。你来点击导航,我来识别字段和填写内容。

使用方式

/auto-fill 公司名: ACME, 邮箱: foo@bar.com, 备注: 测试订单

数据格式自由,键值对 / 自然语言描述都行,我来匹配字段。

重要:必须使用 playwright-cdp 工具集

所有浏览器操作必须使用 playwright-cdp 的工具(连接真实 Chrome),不要使用 cursor-ide-browser 的内置浏览器工具。

  • ✅ 用:playwright-cdp 提供的 browser_navigatebrowser_snapshotbrowser_fill
  • ❌ 禁止:cursor-ide-browser 的同名工具(沙盒浏览器,没有登录态)

工作流程

第一步:检查 Chrome debug 是否在线

curl -s http://127.0.0.1:9222/json/version
  • ✅ 有响应 → 继续
  • ❌ 无响应 → 直接用 Shell 启动 Chrome,不要让用户手动跑命令

直接执行(后台启动):

nohup /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome \
  --remote-debugging-port=9222 \
  --user-data-dir="/tmp/chrome_debug_profile" \
  > /tmp/chrome_debug.log 2>&1 &

等 2 秒后重新 curl 确认启动成功,再继续。

第二步:导航到目标页面

根据用户的描述推断目标 URL,直接 browser_navigate 过去,不要问用户要链接

  • 「打开 Google」→ https://www.google.com
  • 「去 Wise 注册」→ https://wise.com/register
  • 「打开 Creem」→ https://creem.io
  • 模糊描述 → 用常识判断最合理的 URL,导航后截图确认

只有完全无法推断时,才问用户要链接。

第三步:读取页面结构

browser_snapshot

获取无障碍树,识别所有可填写字段(input、textarea、select 等)。

第四步:匹配字段

把用户提供的数据与页面字段对应:

  • 字段名/placeholder/label → 语义匹配,不要求精确
  • 不确定的字段:列出来问用户,不要乱填
  • 没有对应数据的字段:跳过,保持原值

第五步:填写

使用 browser_fill 逐字段填入。

规则:

  • 密码类字段:填前确认
  • 下拉框(select):用 browser_select_option
  • 文件上传:用 browser_upload_file,需用户确认路径

第六步:截图确认

browser_take_screenshot

展示填写结果,明确告知:「填完了,请你来点提交」

边界规则

操作Agent 做用户做
识别表单字段
填写内容
截图确认
点击导航 / 翻页
点击提交按钮除非明确说「帮我提交」✅ 默认
处理弹窗 / 验证码

环境配置(首次)

如果 ~/.cursor/mcp.json 里没有 playwright-cdp 配置,添加:

"playwright-cdp": {
  "command": "npx",
  "args": ["-y", "@playwright/mcp@latest", "--cdp-endpoint", "http://127.0.0.1:9222"]
}

添加后提示用户重载 MCP(Cursor 设置 → MCP → Reload)。

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…