ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

hubstudio

HubStudio OpenAPI skill for full endpoint lookup, request/response field explanation, and parameter constraint checking. Use when querying HubStudio API inte...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 25 · 0 current installs · 0 all-time installs
by@hubstudio-Max
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match what is present: generated OpenAPI commands, a CLI (hubstudio.js), full reference, and Playwright automation examples. Required binaries/env vars are minimal and proportional (optional HUBSTUDIO_BASE_URL/HUBSTUDIO_AUTH_TOKEN). Nothing requested is unrelated to HubStudio automation.
Instruction Scope
SKILL.md instructs the agent/user to call the local HubStudio API (default http://127.0.0.1:6873), start/stop environments, retrieve debuggingPort and connect via Playwright to automate web pages (e.g., baidu.com) and to write reports/summaries. These actions are within the stated purpose, but the skill (and included scripts) will actively navigate external websites and extract page content and will create local report files — which is expected but worth noting from a privacy perspective.
Install Mechanism
No automatic install spec is included (instruction-only install). package.json lists Playwright as an optional dependency you would install manually; using the public npm registry is normal. No opaque downloads or extraction from arbitrary URLs are present.
Credentials
The skill does not require secrets by default. It documents optional HUBSTUDIO_BASE_URL and HUBSTUDIO_AUTH_TOKEN environment variables which are reasonable. One oddity: generated default request bodies include unusual keys like '01KAJX...'/similar hex-like keys in defaultBody values — these look like placeholder or instrumented keys and are not documented in SKILL.md; their presence is unusual but not necessarily malicious. The skill does call endpoints that can return ADB credentials or execute shell commands on cloud phones (e.g., /api/v1/cloud-mobile/exe-command and list-adb), which are powerful but coherent with HubStudio functionality.
Persistence & Privilege
always is false and the skill does not request persistent platform privileges. It writes local report and summary files (node_test_all_report.json, summary files) and may create or suggest symlinks when installing into the OpenClaw workspace — these are expected for a local automation skill and don't indicate overbroad privileges.
Assessment
This skill appears to be what it says: a local HubStudio OpenAPI helper plus Playwright automation examples. Before installing, verify you actually run HubStudio locally and trust that local service. Be aware the skill exercises powerful endpoints (e.g., execute shell on cloud phones, retrieve ADB connection/password info) — if an untrusted agent or user invokes those, those endpoints could be abused. Review the included files (hubstudio.js, commands.generated.json, openapi.yaml, and the Playwright demo) yourself, especially the defaultBody entries that contain odd hex-like keys, and don't set a HUBSTUDIO_AUTH_TOKEN globally unless necessary. Only run npm install/playwright from trusted networks/registries and consider running the demo in an isolated account or VM if you're cautious. If you need more assurance, request the upstream source (homepage/repo) or ask the publisher for explanation of the unusual defaultBody keys and for explicit documentation of required auth fields.
playwright_hubstudio_baidu_demo.js:11
Shell command execution detected (child_process).
hubstudio.js:8
Environment variable access combined with network send.
!
commands.generated.json:2
Install source points to URL shortener or raw IP.
!
hubstudio.js:7
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97f11km8pwqghf20x206vk7md831dee

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

HubStudio Integration Guide

Table of Contents

  1. Introduction
  2. Installation
  3. Configure HubStudio
  4. Using API/CLI
  5. Connection Details
  6. Automation Examples
  7. FAQ
  8. Advanced Usage
  9. ADB Connection Skill
  10. Resources

Introduction

HubStudio provides browser environment automation, cloud phone operations, environment management, account management, and group management through local APIs.

This Skill is designed to:

  • Locate all HubStudio endpoints quickly
  • Explain request/response fields and constraints
  • Provide safe call patterns for automation
  • Standardize API testing and troubleshooting

Core docs:

Installation

1. Install HubStudio Desktop

Install and open HubStudio client on your machine, then log in.

2. Verify Local API Service

The current OpenAPI file uses:

http://127.0.0.1:6873

Verify service health with:

curl -s -X POST "http://127.0.0.1:6873/api/v1/browser/all-browser-status" \
  -H "Content-Type: application/json" \
  -d '{}'

3. Install Optional Tooling

# API calls and JSON inspection
brew install curl jq

# Python validation scripts
python3 -m pip install --user pyyaml

Configure HubStudio

1. Login and Prepare Data

  1. Login to HubStudio client
  2. Ensure browser environments/cloud phones exist
  3. Confirm local API is reachable

2. Configure Runtime Variables (Optional)

export HUBSTUDIO_BASE_URL="http://127.0.0.1:6873"
export HUBSTUDIO_AUTH_TOKEN="<your-token-if-needed>"

3. Timing Notes

  • Browser environment startup typically takes 3-5 seconds
  • Cloud phone startup typically takes 30-90 seconds
  • Build retry/timeout logic based on those windows

Using API/CLI

HubStudio OpenAPI in this project contains 56 operations across these domains:

  • Browser Environment
  • Cloud Phone
  • Environment Management
  • Account Management
  • Group Management

Recommended Call Pattern

curl -s -X POST "$HUBSTUDIO_BASE_URL/<endpoint>" \
  -H "Content-Type: application/json" \
  -d '<json-body>'

Node CLI (Direct Execution)

This project includes hubstudio.js, so you can execute capabilities directly:

node hubstudio.js help
node hubstudio.js list
node hubstudio.js browserCreate
node hubstudio.js browserStart 1474900026
node hubstudio.js browserStatus 1474900026
node hubstudio.js browserForeground 1474900026
node hubstudio.js browserArrange
node hubstudio.js browserStop 1474900026
node hubstudio.js testAll

hubstudio.js now supports all OpenAPI endpoints via generated commands in commands.generated.json. Example generated command:

node hubstudio.js postV1BrowserStart --body '{"containerCode":"1474900026"}'

Cloud Phone ADB Commands

# Enable ADB
node hubstudio.js postV1CloudMobileBatchUpdateAdb --body '{"mobileIds":["<mobileId>"],"enableAdb":true}'

# Query ADB connection info
node hubstudio.js postV1CloudMobileListAdb --body '{"mobileIds":["<mobileId>"]}'

Common Browser Environment APIs

# Open environment
curl -s -X POST "http://127.0.0.1:6873/api/v1/browser/start" \
  -H "Content-Type: application/json" \
  -d '{"containerCode":"1474900026"}'

# Close environment
curl -s -X POST "http://127.0.0.1:6873/api/v1/browser/stop" \
  -H "Content-Type: application/json" \
  -d '{"containerCode":"1474900026"}'

# Get all open environment status
curl -s -X POST "http://127.0.0.1:6873/api/v1/browser/all-browser-status" \
  -H "Content-Type: application/json" \
  -d '{}'

Discover Full Endpoint Details

  • Open reference.md for:
    • All endpoints and methods
    • Request/response field descriptions
    • Required fields and constraints
    • Grouped view by tags

Connection Details

Base URL

From openapi.yaml:

http://127.0.0.1:6873

Response Convention

Most endpoints return:

{
  "code": 0,
  "msg": "Success",
  "data": {}
}

Interpretation:

  • code = 0: success
  • non-zero code: business error (missing field, not found, permission, precondition)

Automation Examples

Example 1: Open Browser Environment

node hubstudio.js browserStart 1474900026

Example 2: Query Running Browser Environments

node hubstudio.js browserStatus

Example 3: Smoke Test All OpenAPI Endpoints

# Current smoke test report (generated previously):
cat scripts/endpoint_test_report.json | jq '.total, .reachable, .transport_fail_count'

Example 4: Validate Skill Completeness

python3 scripts/validate_completeness.py

FAQ

Q1: API Returns HTTP 200 But Business Failure

This is expected for many endpoints. Check response body code and msg for business-level result.

Q2: Environment Open Failed

Check:

  1. containerCode is correct
  2. Environment exists in current account/workspace
  3. HubStudio client is logged in and local service is running

Q3: Why Some Endpoint Tests Fail with Missing Parameters?

Endpoint smoke tests are designed for reachability first. Business failures due to required params/resources are normal unless strict case data is provided.

Q4: How to Find Required Fields?

Use reference.md. Each endpoint lists:

  • Required parameters
  • Request body required fields
  • Type and constraint details

Advanced Usage

1. OpenClaw Integration

In OpenClaw workflows, call HubStudio endpoints directly with structured payloads:

# Example: open environment
openclaw hubstudio call --path "/api/v1/browser/start" \
  --method POST \
  --body '{"containerCode":"1474900026"}'

2. Retry Strategy

  • Browser environment APIs: retry 1-2 times, interval 2-3 seconds
  • Cloud phone APIs: retry 2-4 times, interval 5-10 seconds

3. Batch Operations

For batch tasks, iterate IDs with per-item result logging and partial-failure tolerance.

4. Validation Loop

  1. Update data in openapi.yaml
  2. Re-generate reference.md
  3. Run python3 scripts/validate_completeness.py
  4. Run endpoint smoke tests and inspect scripts/endpoint_test_report.json

ADB Connection Skill

Use this capability when the user asks to connect cloud phones through ADB.

  • Android 12 / Android 15: direct adb connect <ip:port> mode
  • Android 13 / Android 14 / Android 15A: SSH tunnel + adb connect localhost:<port> mode
  • Full guide and command templates: ADB_CONNECTION_GUIDE.md

Execution rule:

  1. Ensure cloud phone is powered on
  2. Enable ADB via postV1CloudMobileBatchUpdateAdb
  3. Query ADB info via postV1CloudMobileListAdb
  4. Choose direct or tunnel workflow by Android version
  5. Validate with adb devices

Resources

Files

11 total
Select a file
Select a file to preview.

Comments

Loading comments…