pinchtab-skill
v1.0.0通过 PinchTab HTTP API 控制无头或有头 Chrome 浏览器,用于网页自动化、爬虫、表单填充、导航、截图和数据提取
⭐ 1· 841·8 current·8 all-time
by张贝@hellotombruce
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description claim a local HTTP API to control Chrome; all included docs and examples show use of a local pinchtab binary and a local HTTP API on port 9867. The declared requirements are minimal (no env vars required by the registry), which matches the instruction-only nature of the skill. Nothing in the docs asks for unrelated services or secrets.
Instruction Scope
SKILL.md instructs the agent to start and call a local pinchtab process and to interact with its HTTP endpoints (navigate, snapshot, action, etc.). This stays within the stated browser-automation scope. Important caveat: the docs explicitly note that if you point PinchTab at a Chrome profile containing saved logins/cookies, the agent (and any callers of the API) can access authenticated sites. The instructions also encourage binding and tokens, which is good, but they implicitly permit disabling Chrome sandbox (BRIDGE_NO_SANDBOX) and changing bind address — both are powerful options that increase risk if misused.
Install Mechanism
There is no install spec — lowest-risk delivery in that nothing is written by the skill package itself. However, that means the skill expects an external 'pinchtab' binary already present; obtaining and verifying that binary is the user's responsibility. The documentation does not include a trusted download/source or release host; verify the origin of the pinchtab binary before running.
Credentials
The skill does not require unrelated secrets. Documented environment variables (BRIDGE_BIND, BRIDGE_PORT, BRIDGE_TOKEN, BRIDGE_PROFILE, BRIDGE_BLOCK_IMAGES, etc.) are relevant to its function. Two environment-related concerns to be aware of: (1) BRIDGE_PROFILE can give the process access to cookies/saved passwords if you point it at your daily Chrome profile; (2) BRIDGE_BIND set to 0.0.0.0 or omitting BRIDGE_TOKEN exposes the API to the network. The docs call these out, which is appropriate.
Persistence & Privilege
The skill is instruction-only and not always-enabled; it does not request persistent elevated platform privileges, nor does it modify other skills or global agent configuration. Autonomous invocation is allowed (platform default), which is expected for a skill that will make local HTTP calls; this increases blast radius only if you run the pinchtab service with an unsafe configuration (public bind, no token, or shared profile).
Assessment
This skill is coherent with its stated purpose, but you must make operational choices carefully: 1) Do not point BRIDGE_PROFILE at your everyday Chrome profile — create and use an empty dedicated profile to avoid exposing saved logins. 2) Keep BRIDGE_BIND=127.0.0.1 and set BRIDGE_TOKEN if the service is reachable from any network; if you must bind publicly, restrict access with firewall rules. 3) Avoid disabling the Chrome sandbox (BRIDGE_NO_SANDBOX) unless you understand the risk. 4) There is no packaged installer or bundled binary — verify and obtain the pinchtab executable from a trusted source before running. 5) If you plan to allow an autonomous agent to call this API, consider limiting its permissions and monitoring requests/logs. If you want a deeper assessment, provide the pinchtab binary source or a release URL so I can evaluate install provenance and the binary itself.Like a lobster shell, security has layers — review code before you run it.
latestvk97dsw21zn5j2szme4dvfsnr5s82cfqz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.