Tonghuashun Ifind

This skill appears to implement iFinD API access and uses browser automation to obtain tokens — that is reasonable for its purpose — but there are two practical issues to consider before installing or running it: 1) Missing declared dependencies: the runtime uses Playwright and requests but the skill metadata only lists python3. Ensure you or your environment installs and reviews those packages before running the skill (pip install playwright requests, and install Playwright browsers), and verify no unexpected network installers run. 2) Broad browser capture: the Playwright adapter captures response payloads, request headers, localStorage/sessionStorage and cookies. Although the code tries to extract iFinD access_token/refresh_token, this capture can also collect unrelated secrets from the browser (other site tokens, stored credentials). To reduce risk, prefer supplying tokens via auth-set-tokens rather than providing username/password; if you must use auth-login, run it in an isolated environment (dedicated VM/container/profile) and review the code in scripts/runtime/tonghuashun_ifind_skill/browser_login.py so you understand exactly what will be captured. Additional suggestions: - Review DEFAULT_BASE_URL and ensure it matches the official iFinD endpoint you expect. - Inspect and lock permissions on the token state file (~/.openclaw/tonghuashun-ifind/token_state.json) if sensitive tokens will be stored there. - If you do not want the agent to run this skill autonomously, disable or gate the skill in your agent configuration; autonomous invocation plus broad capture increases blast radius. If you want, I can list the exact lines that capture browser storage/headers/cookies, enumerate missing Python deps, or draft a safer workflow that uses manual token injection instead of browser login.