ClawHub

CapSolver

WarnAudited by ClawScan on May 18, 2026.

Overview

This skill is transparent about using CapSolver, but it gives an agent broad ability to automatically solve CAPTCHA and anti-bot challenges such as Cloudflare, DataDome, and AWS WAF.

Install only if you intentionally need CapSolver integration and are authorized to solve these challenges. Treat the API key and any proxy credentials as secrets, and avoid using the skill on third-party sites or sensitive pages without explicit permission.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

High
#ASI02: Tool Misuse and Exploitation
What this means

An agent could use this skill to get past human-verification or bot-protection systems on websites, which may violate site rules or enable unwanted automation.

Why it was flagged

The core capability is automatic solving of CAPTCHA and anti-bot challenges, including Cloudflare, DataDome, and AWS WAF, with no visible target restrictions or authorization guardrails.

Skill content
Use this skill to automatically resolve various CAPTCHA challenges using the CapSolver API service. The skill supports Geetest, reCAPTCHA v2/v3, MTCaptcha, DataDome, AWS WAF, Cloudflare Turnstile, Cloudflare Challenge, and more.
Recommendation

Use only on systems you own or are explicitly authorized to test, and require explicit user confirmation before solving challenges for any third-party site.

Low
#ASI03: Identity and Privilege Abuse
What this means

Anyone with access to the API key could spend your CapSolver balance or perform requests under your CapSolver account.

Why it was flagged

The skill requires a CapSolver account API key; this is expected for the service, but it is sensitive account access and should be protected.

Skill content
API_KEY=CAP-XXXXX-your-api-key-here
Recommendation

Store the API key securely, avoid committing .env files, rotate the key if exposed, and monitor CapSolver account usage.

Medium
#ASI07: Insecure Inter-Agent Communication
What this means

Challenge data, page HTML, proxy details, and related browsing context may be shared with a third-party provider.

Why it was flagged

For Cloudflare tasks, the script can send target URL, user-agent, page HTML, and proxy information to the CapSolver provider API.

Skill content
'type': args.command,
                'websiteURL': args.websiteURL,
                'userAgent': args.userAgent,
                'html': args.html,
                'proxy': args.proxy
Recommendation

Do not submit sensitive page HTML, private URLs, or proxy credentials unless you trust the provider and understand what data is being transmitted.