2Captcha CLI
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill openly helps an agent bypass CAPTCHA protections for web automation and account creation, and it installs an unreviewed remote CLI that uses a 2Captcha API key.
Review this carefully before installing. Use it only for authorized testing or your own systems, do not allow an agent to bypass CAPTCHAs on third-party services without explicit permission, pin and review the remote CLI code before installation, and protect the 2Captcha API key and account balance.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could use this to defeat protections on websites, which may violate site rules, trigger account bans, incur costs, or support abusive automation.
This explicitly frames the skill for bypassing anti-bot protections and automating account creation or submissions, without scoping it to authorized testing or requiring user approval.
Use for bypassing captchas during web automation, account creation, or form submission.
Install only if you have a legitimate, authorized need. Require explicit per-site approval, restrict use to systems you own or are permitted to test, and avoid using it for third-party account creation or unsolicited form submission.
You would be trusting whatever code is served from that GitHub path at install time, and future changes to the remote branch may differ from what was reviewed here.
The setup downloads an executable from a mutable branch and places it in a global PATH location, while the submitted artifacts do not include the executable source for review.
curl -fsSL https://raw.githubusercontent.com/adinvadim/2captcha-cli/main/solve-captcha \ -o /usr/local/bin/solve-captcha && chmod +x /usr/local/bin/solve-captcha
Review the upstream script before installing, prefer a pinned commit or signed release, and avoid installing to a privileged global path unless necessary.
The API key can spend account balance and may be readable by local processes or users depending on file permissions and shell environment handling.
The skill requires a 2Captcha credential and stores or exposes it locally; this is expected for the provider but is not declared in the registry metadata.
echo "YOUR_API_KEY" > ~/.config/2captcha/api-key # Or use environment variable export TWOCAPTCHA_API_KEY="your-key"
Use a dedicated low-balance API key if possible, protect the config file permissions, avoid passing keys on command lines, and rotate the key if you suspect exposure.