2Captcha CLI
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is transparent about what it does, but it is designed to help an agent bypass CAPTCHA protections and install an unpinned remote CLI.
Review this carefully before installing. It may be appropriate only for authorized testing or workflows you control; using it to bypass CAPTCHA protections on third-party sites can violate site rules and enable abuse. If you proceed, inspect and pin the remote CLI before installing, protect the 2Captcha API key, and avoid submitting sensitive page content.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could help automate actions that websites intentionally block with CAPTCHA challenges.
The skill is explicitly framed for bypassing CAPTCHA protections, including account creation and form submission, which are common anti-abuse enforcement points.
Use for bypassing captchas during web automation, account creation, or form submission.
Only use this in systems you own or are explicitly authorized to test; add explicit user confirmation and authorized-use limits before solving or injecting CAPTCHA tokens.
This can let automated workflows proceed through protections intended to distinguish humans from bots.
The browser automation workflow goes beyond solving a challenge and instructs how to place the resulting token into the page to bypass the site's CAPTCHA gate.
Inject token - Set `g-recaptcha-response` or callback
Require clear user intent and authorization before using token injection, and avoid using it against third-party sites without permission.
The code installed later may differ from what the skill reviewer saw, and a compromised or changed upstream file would run as a local command.
The install path downloads executable code from a mutable GitHub branch and places it in a system-wide executable directory, while the reviewed artifact set contains no copy of that code or pin/hash.
curl -fsSL https://raw.githubusercontent.com/adinvadim/2captcha-cli/main/solve-captcha \ -o /usr/local/bin/solve-captcha && chmod +x /usr/local/bin/solve-captcha
Inspect the upstream script before installing, prefer a pinned release or commit hash, verify checksums, and avoid writing to system-wide paths unless necessary.
Anyone with access to the key could use the user's 2Captcha account balance.
The skill uses a 2Captcha API key, which is expected for the service, but it is still a credential that can spend account balance if exposed or misused.
echo "YOUR_API_KEY" > ~/.config/2captcha/api-key # Or use environment variable export TWOCAPTCHA_API_KEY="your-key"
Store the API key securely, restrict shell history exposure when setting it, and rotate it if it may have been exposed.
Sensitive page context or images could be exposed to the 2Captcha provider or its human solvers if used carelessly.
The service is external and human-powered, so CAPTCHA images, site URLs, sitekeys, or text prompts used in commands may be sent outside the local environment.
Solve CAPTCHAs programmatically using the 2Captcha human-powered service.
Do not submit CAPTCHAs or page URLs containing confidential information, and review 2Captcha's data handling terms before use.