ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Web Freedom Toolkit

v8.0.0

Universal Server-Side Web Freedom Toolkit. Harmonizes Scrapling (Self-Healing Fetch), curl_cffi (TLS Impersonation), and DrissionPage (D-Mode) for undetectab...

0· 203·0 current·0 all-time
by@biogod2020
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (web-bypass, stealth browsing) aligns with included scripts: scrapling, curl_cffi, DrissionPage usage, and utilities for CDP takeovers and tunneling. However multiple included scripts provide low-level driver injection, CDP Runtime.evaluate execution, and a socket relay — features that are high‑privilege and go beyond simple 'fetch' helpers. These advanced capabilities can be coherent for the stated goal but are disproportionate for a lightweight 'fetch' helper and should be explicitly justified.
!
Instruction Scope
SKILL.md instructs running the unified engine (freedom_engine.py) which is expected, but bundled code references/executes high‑scope actions: raw CDP takeover (force_takeover.py / force injection), direct BrowserDriver injection (nuclear_option.py), creation of local relays and Unix auth sockets, and opening of HTTP CDP endpoints on localhost. Several scripts expect interactive gating or token files; those gating mechanisms are fragile or not enforced by the declared runtime instructions. The agent instructions do not declare or warn about these local privileged operations.
Install Mechanism
No remote installers or downloads are used; dependencies are Python packages listed in requirements.txt and SKILL.md. There is no download-from-URL or extract step in the manifest. This reduces supply‑chain risk compared to remote binary pulls.
!
Credentials
Manifest/metadata declare no required env vars, yet code expects external signals and secrets not declared: SOTA_NUCLEAR_CONFIRMED env var (nuclear_option.py), a lock file at ~/.openclaw/tmp/sota_active.lock (sota_security.py), and a memory Unix socket /tmp/.sota_auth.sock used for UDS handshakes. Those are control/authorization mechanisms but are not described in SKILL.md or manifest. The number and sensitivity of implicit controls is high relative to the declared 'no env vars' policy.
!
Persistence & Privilege
The package does not request 'always: true' (good), and SKILL.md/_meta.json include disable-model-invocation: true (which would prevent autonomous invocation). However the registry-level flags reported at the top of this evaluation show disable-model-invocation:false — a metadata mismatch. The code can create local relays/tunnels and spawn subprocesses that run for up to an hour; while scripts include self‑destruct/timeouts, these capabilities increase the blast radius if the skill is invoked — particularly if autonomous invocation is allowed. The metadata inconsistency about model invocation is an important red flag.
What to consider before installing
This package appears to implement advanced, high‑privilege tooling for bypassing anti‑bot protections (CDP takeovers, driver injection, local tunnel forwarding). That capability can be legitimate for research but is risky. Before installing or running: 1) Verify whether the registry actually enforces disable-model-invocation (SKILL.md/_meta.json claim disable-model-invocation:true but registry flags here show false). If autonomous invocation is permitted, assume the agent could run high‑privilege code. 2) Inspect and understand the gating mechanisms: the code expects a lock file (~/.openclaw/tmp/sota_active.lock), a Unix socket (/tmp/.sota_auth.sock), and an env var SOTA_NUCLEAR_CONFIRMED for ‘nuclear’ actions — none are declared in manifest. 3) Only run in an isolated VM/container with no sensitive host services reachable; the relay/tunnel and CDP takeover code can be used to pivot to other local services. 4) If you do not need driver injection or socket tunneling, prefer a minimal tool that only uses scrapling or curl_cffi. 5) If you trust the author and need this functionality, require a registry-level policy that enforces disable-model-invocation:true and document the explicit human approval workflow for the nuclear paths. If any of these checks fail or you are uncomfortable, do not install or run this skill.

Like a lobster shell, security has layers — review code before you run it.

SOTAvk97948n9b15zhbnfcs2929y5v182zewnfreedomvk97948n9b15zhbnfcs2929y5v182zewnlatestvk97948n9b15zhbnfcs2929y5v182zewnstealthvk97948n9b15zhbnfcs2929y5v182zewnvps-optimizedvk97948n9b15zhbnfcs2929y5v182zewn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🕊️ Clawdis
Binsgoogle-chrome-stable, xvfb-run, dbus-launch

Comments