Captcha Solver
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is designed to bypass CAPTCHA and bot-protection systems, including reCAPTCHA-style challenges, and it handles a 2Captcha API key insecurely.
Avoid installing this skill unless you have a clearly authorized, controlled testing need. It is built to defeat CAPTCHA protections, and providing a 2Captcha key or CAPTCHA images may expose credentials and data to a third party.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could bypass websites' human-verification controls and automate access where the site intended to stop bots.
The script implements obtaining reCAPTCHA tokens from 2Captcha and generating human-like slider movement, which is direct automation of anti-bot challenge bypass.
submit_url = f"http://2captcha.com/in.php?key={self.api_key}&method=userrecaptcha&googlekey={site_key}&pageurl={url}" ... "Generate human-like slide trajectory"Do not install or use this skill for third-party websites; only consider tightly controlled, explicitly authorized testing or accessibility contexts.
A user's 2Captcha API key could be leaked or abused, potentially causing account charges or account compromise.
The skill reads a 2Captcha API key and places it into a plain HTTP URL, exposing the credential to network interception and URL logging.
API_2CAPTCHA = os.getenv("API_2CAPTCHA", "") ... submit_url = f"http://2captcha.com/in.php?key={self.api_key}Avoid providing real API keys to this skill; a safe implementation should declare the credential, use HTTPS, and avoid putting secrets in URLs or command-line arguments.
CAPTCHA screenshots and target page information may leave the local environment and be processed by an external service.
For 2Captcha image solving, selected local CAPTCHA images are encoded and sent to a third-party provider; this is expected for the feature but privacy-relevant.
with open(image_path, "rb") as f: img_data = base64.b64encode(f.read()).decode() ... &body={img_data}Do not submit screenshots or CAPTCHA contexts that contain private, sensitive, or regulated information.
Installing dependencies without pinned versions can produce different code over time or pull in compromised packages if the environment is not controlled.
The install guidance uses unpinned packages from external package repositories; this is user-directed and common for Python tools, but it leaves dependency provenance and version integrity to the user.
pip install pillow numpy opencv-python
If reviewing in a controlled environment, pin dependency versions and install from trusted package sources only.