ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

B0tresch Stealth Browser

v1.1.0

Anti-detection web browsing that bypasses bot detection, CAPTCHAs, and IP blocks using puppeteer-extra with stealth plugin and optional residential proxy sup...

0· 1.3k·3 current·3 all-time
by@b0tresch
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (anti-detection browsing with stealth plugin and optional residential proxy) match the included code and SKILL.md. The repository contains puppeteer + stealth usage and optional Smartproxy proxy configuration — all expected for this functionality.
Instruction Scope
SKILL.md and scripts/browser.js are consistent: they instruct npm install, optionally place Smartproxy credentials in ~/.config/smartproxy/proxy.json, and run the provided CLI or exported browse() function. The instructions do not request reading unrelated files or environment variables beyond the documented proxy config file.
Install Mechanism
There is no platform install spec; the user runs 'npm install' per SKILL.md. That will fetch puppeteer and related packages from the npm registry (package.json and package-lock.json included). This is expected but means third-party npm packages will be downloaded — review package-lock.json and run in a controlled environment if you have supply-chain concerns.
Credentials
The skill requests no environment variables or global credentials. It does read a local file (~/.config/smartproxy/proxy.json) for proxy credentials when --proxy is used. Storing proxy credentials in a plaintext config file is documented but is a potential local-secrets risk the user should be aware of.
Persistence & Privilege
The skill does not request persistent/automatic inclusion (always: false) and does not modify other skills or system-wide configs. It only reads its own optional proxy config file in the user's home directory.
Assessment
This skill appears to do exactly what it says: launch a puppeteer browser with stealth evasion and optionally use Smartproxy credentials stored in ~/.config/smartproxy/proxy.json. Before installing: (1) be aware that 'npm install' will download many packages from the public registry — inspect package-lock.json or run in an isolated environment if you worry about supply-chain risk; (2) storing proxy credentials in a plaintext file is convenient but consider file permissions or a more secure secret store; (3) using a tool that bypasses bot/CAPTCHA protections can facilitate abusive automation — ensure your use is legal and ethical; (4) visited pages may execute arbitrary JavaScript in the headless browser (the skill fetches page HTML/content and prints it), so run it in a sandboxed environment if you will visit untrusted sites.

Like a lobster shell, security has layers — review code before you run it.

latestvk970y47c7fcqxsc8az736a6e5h81vpf6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments