Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Agent Browser with Camoufox
v1.0.0One-click deployment of camoufox anti-detection browser with modified agent-browser. Patches agent-browser to auto-detect camoufox/firefox from executable pa...
⭐ 0· 385·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description claim to deploy camoufox and patch agent-browser; the SKILL.md and install.sh perform exactly those actions (install camoufox, install/locate agent-browser, modify getBrowserType, recompile, replace global package). No unrelated credentials or unexplained capabilities are requested.
Instruction Scope
The runtime instructions ask the agent/user to run a script that will download and execute third-party installers, pip packages, clone GitHub repos, edit source files, compile Rust code, and replace the globally installed agent-browser. The script performs wide filesystem writes (overwriting global npm package directories) and network downloads; it does not include checksum or signature verification of downloaded artifacts. While these actions are coherent with the goal, they grant the script broad discretion over your system.
Install Mechanism
There is no formal install spec in registry metadata; the included install.sh uses curl | sh (astral.sh for uv, sh.rustup.rs for Rust), pip installs, and git clone from GitHub. These are traceable, but any install-that-pipes-remote-scripts-to-sh and automatically writes into global package locations is a higher-risk pattern and should be reviewed before execution.
Credentials
The skill does not request environment variables, credentials, or access to unrelated config paths. The required capabilities (network access, write access to npm global path, ability to install pip/Rust) are proportionate to compiling and replacing an npm package.
Persistence & Privilege
The skill will modify/replace an existing globally installed tool (agent-browser). Although always:false and not autonomously persistent, overwriting another package's installation is a privileged action that can affect other tools/skills on the system and should be treated as sensitive.
What to consider before installing
Do not run the installer blindly. The script executes remote installers (curl | sh), downloads packages and a browser binary, and will overwrite your globally installed agent-browser. Before installing: (1) inspect install.sh line-by-line and verify every remote URL (astral.sh, sh.rustup.rs, GitHub repos); (2) prefer manual steps (install uv, pip install camoufox, clone agent-browser yourself) or run the script inside a disposable VM/container; (3) back up the global agent-browser path as suggested and keep the backups offline; (4) verify sources/checksums of downloaded binaries where possible; (5) be aware this enables an anti-detection tool (may violate service ToS/legal constraints); (6) if unsure, ask the publisher for signed releases or a reproducible build process rather than running an automated replace of system packages.Like a lobster shell, security has layers — review code before you run it.
latestvk978wp01j4kywsxmzjdt28me358220ne
License
MIT-0
Free to use, modify, and redistribute. No attribution required.