Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Browser Session Manager
v1.0.0Manage browser sessions for jimeng.jianying.com using Playwright by importing cookies/localStorage to automate video generation workflows with image upload a...
⭐ 1· 831·5 current·5 all-time
by石头@flyingzl
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (Browser Session Manager for jimeng.jianying.com) matches the included SKILL.md and code: all files implement browser automation, cookie/localStorage injection, and UI interactions for the jimeng site. No unrelated services or credentials are requested.
Instruction Scope
SKILL.md and scripts instruct the agent to read a session JSON (cookies/localStorage/sessionStorage), set them into a Playwright context, navigate and interact with the site, and optionally upload images/screenshots. This is within scope for session-based browser automation, but it necessarily requires handling sensitive authentication tokens (cookies/localStorage) which grant account access — users must understand this sensitivity. The instructions do not direct data to external endpoints beyond the target site and do not contain obvious exfiltration steps.
Install Mechanism
There is no install spec in the registry metadata, but SKILL.md and the code require Node.js and Playwright (and mention ImageMagick's 'convert' for image preprocessing). The package metadata declares no required binaries; that mismatch (missing declared dependencies and no install instructions) is a usability/security concern because a user could run scripts without realizing external binaries will be invoked or downloaded (Playwright downloads browser binaries).
Credentials
The skill does not request environment variables or other credentials in metadata. However, it consumes session JSON files that contain authentication cookies and tokens (e.g., sessionid, passport_csrf_token, odin_tt, ttwid). Access to those tokens is necessary for the stated purpose but is highly sensitive — providing them gives the script full authenticated access to the user's account on the target site.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system-wide settings, and runs as a normal script. It writes screenshots/output to disk (paths like /tmp) which is expected. No evidence it persists credentials or elevates privileges beyond its own runtime.
Assessment
This skill appears to do what it says (automate jimeng via Playwright) but it requires you to provide a browser session JSON containing cookies and localStorage values — those are equivalent to account credentials and can be used to act as you on the site. Before installing or running: 1) Review the included JS files yourself (they are present and readable); 2) Only use session exports from accounts you control or are willing to risk (prefer throwaway/test accounts); 3) Install Node.js, Playwright, and ImageMagick from official sources and be aware Playwright may download browser binaries; 4) Run the scripts in an isolated environment (container or VM) and avoid running as root; 5) Do not share the session JSON or commit it to repos; delete session files when done; 6) Check terms-of-service for jimeng.jianying.com — automated access may violate TOS; and 7) Consider adding logging/auditing or limiting network access if you plan to run this in production. The main technical inconsistency is the missing declared dependencies/install spec — ensure required tools are installed before executing.Like a lobster shell, security has layers — review code before you run it.
latestvk97csapnfe4g3qmsztreqm3jnh81b6zm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.