ClawHub
Back to skill
v1.0.0

Camoufox Deploy

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:15 AM.

Analysis

The skill is openly aimed at installing Camoufox and patching agent-browser, but its installer makes broad persistent system changes and has a path/workdir issue that could run or copy the wrong project.

GuidanceReview the installer before running it. If you proceed, run it in a controlled temporary directory, verify the agent-browser path it will modify, avoid system-wide installs where possible, and be aware that this installs anti-detection browser tooling and changes global browser automation behavior.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Unexpected Code Execution
SeverityHighConfidenceHighStatusConcern
scripts/install.sh
if [ -f "package.json" ]; then
    log_info "在源码目录中,安装依赖并编译..."
    npm install
    ...
    npm run build
    ...
    cp -r . "$AGENT_BROWSER_PATH"

This branch runs npm install/build and copies the current directory into the global agent-browser path based only on whether the current working directory has package.json. Since the documented command runs the script by path, the caller's current directory may not be the intended agent-browser source tree.

User impactIf run from a project directory, it could execute that project's npm lifecycle/build scripts and overwrite the global agent-browser package with unrelated files.
RecommendationRun only after reviewing the script, preferably from an empty temporary directory, or modify it to explicitly cd into the intended agent-browser source path before running npm commands or copying files.
Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusConcern
scripts/install.sh
npm install -g agent-browser
...
mv "$AGENT_BROWSER_PATH" "$BACKUP_PATH"
...
cp -r . "$AGENT_BROWSER_PATH"

The installer globally installs and then replaces the agent-browser package, changing browser automation behavior for future uses outside the immediate skill run.

User impactThis can alter or break a globally installed browser automation tool and affect later automation tasks, not just this one deployment.
RecommendationPrefer a local or virtual-environment install, confirm the exact target path before replacement, and keep clear restore instructions for the backup.
Agentic Supply Chain Vulnerabilities
SeverityMediumConfidenceHighStatusNote
scripts/install.sh
curl -LsSf https://astral.sh/uv/install.sh | sh
...
uv pip install camoufox --system || pip3 install camoufox
...
npm install -g agent-browser
...
git clone --depth 1 https://github.com/browser-use/agent-browser.git

The deployment depends on live remote installers and unpinned package/source downloads. This is related to the stated install purpose, but it means the installed code may change over time.

User impactYou are trusting the current versions of several external sources at install time, and a compromised or changed upstream could affect your machine.
RecommendationPin versions or commits where possible, avoid curl-to-shell installers unless trusted, and review upstream package sources before running the one-click installer.