Ultimate Freedom Protocol
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is explicitly built to evade website protections and includes unsafe browser-control scripts that can expose or take over Chrome.
Do not install this skill on a personal or production machine. If you have explicit authorization to test anti-bot defenses, use a disposable isolated VM/container, block external access to debugging ports, disable autonomous invocation, and review every script before running it.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could be used to bypass protected websites, scrape blocked content, violate terms or laws, and trigger account/IP enforcement.
The skill directly advertises evading anti-bot/WAF protections for stealth data extraction, which is a high-risk misuse pattern rather than a normal scoped web integration.
description: "... bypass DataDome, Cloudflare, and Bilibili. Ideal for undetectable server-side data extraction."
Do not install or run this except in an isolated lab with explicit written authorization for the target systems; remove WAF-bypass and undetectable-extraction behavior.
The agent may invoke scraping, takeover, or browser-control workflows without a direct user command.
For this specific high-risk toolkit, autonomous invocation materially increases risk and conflicts with the skill's own SKILL.md/_meta setting that attempts to disable model invocation.
disable-model-invocation: false (default — agent can invoke autonomously, this is normal)
Disable autonomous invocation at the registry level and require explicit user approval for every high-impact action.
Anyone able to reach the debugging port could control the browser session, inspect pages, or manipulate browser state.
Chrome DevTools Protocol can control the browser; binding it to all interfaces and allowing all origins expands access beyond the local intended user.
--remote-debugging-address=0.0.0.0 ... --remote-allow-origins="*"
Bind debugging only to 127.0.0.1, remove wildcard origins, firewall the port, use isolated throwaway profiles, and require explicit user approval.
The skill can run page JavaScript through a browser debugging channel, which can be extended to inspect or alter page state beyond simple fetching.
The script uses raw CDP Runtime.evaluate to execute JavaScript in the controlled browser page, and this particular script lacks the stronger gates described elsewhere.
send("Runtime.evaluate", {"expression": "[...document.querySelectorAll('a')].map(e => e.innerText)"})Remove raw CDP evaluation from default workflows, constrain any browser automation to reviewed scripts, and require per-action user confirmation.
Running the skill could terminate the user's existing browser sessions and leave high-privilege browser-control services running in the background.
The daemon kills unrelated browser/display processes and starts background Chrome and relay processes, creating persistent behavior outside a single bounded task.
pkill -9 chrome; pkill -9 Xvfb; ... nohup xvfb-run ... &; ... nohup python3 ... python_relay.py ... &
Do not run this daemon on a normal workstation; if testing is authorized, use a disposable VM/container and add clear startup, shutdown, and cleanup controls.
The skill may execute code outside the reviewed package if that path exists, or fail unpredictably on other systems.
The script launches a helper from a hardcoded external skill path rather than the bundled file, creating an unreviewed dependency and provenance gap.
nohup python3 /home/jiahao/.openclaw/workspace/skills/drission-agent/scripts/python_relay.py > /home/jiahao/relay.log 2>&1 &
Use only bundled, reviewed helpers with relative paths; remove personal paths and declare all dependencies in a reproducible install specification.
Other local processes may be able to use the relay to access browser-control traffic or page data.
The relay forwards browser-debug traffic without client authentication; even though it binds to loopback, it bridges a high-impact control channel with unclear identity boundaries.
server.bind(('127.0.0.1', local_port)); server.listen(5); ... socket.create_connection(('127.0.0.1', remote_port), timeout=5)Add authentication, randomize ports, restrict clients, avoid bridging CDP unless necessary, and document exactly what data/control crosses the boundary.
A user may over-trust the skill's self-described security controls and run unsafe browser-takeover tooling.
The package presents strong safety and verification claims, but other provided scripts start nohupped browser/relay processes and expose CDP broadly, so the safety posture is misleading.
**Security Control**: Implements `IDLE_TIMEOUT` and `MAX_LIFESPAN`. It is physically unable to persist beyond the task's scope. ... **Audit Status**: Verified by SpatialGPT SOTA Engine (2026)
Remove unsupported audit/verification claims and accurately document the remaining risks, required approvals, and containment steps.