ClickMap

v1.0.2

Chrome UI automation skill for saving named on-screen targets and reusing them with reliable click/type actions. Use when browser automation is flaky, select...

⭐ 0· 362·3 current·3 all-time

by@jayton123456789-hub

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

high confidence

Purpose & Capability

The skill claims to provide reliable click/type actions for automations, but the SKILL.md and UI repeatedly reference an action runner (scripts/clickmap-actions.ps1), an autostart installer, and a launcher (start-bridge.cmd) that are NOT present in the file manifest. The included files implement the Chrome extension and a local bridge that stores POIs, but no included script implements the agent-side click/type runner. Declared requirements list no env vars, yet the bridge supports CLICKMAP_PORT and CLICKMAP_TOKEN. This mismatch means the skill as packaged cannot perform the runtime click/type actions it advertises without additional missing files.

Instruction Scope

SKILL.md instructs users/agents to load the unpacked extension and run a local Node bridge; that's consistent with the included extension and scripts/bridge-server.js. However the runtime instructions also tell the agent to call a PowerShell action runner (for clicks/types) located at $HOME/.openclaw/.../scripts/clickmap-actions.ps1 which is not included. The extension/content scripts capture element selectors, viewport/screen coords, and call the local bridge via POST /api/pois. The instructions do not request any unrelated system files, but they grant the bridge endpoint broad CORS headers and (unless the user sets a token) no auth — the doc's claim

What to consider before installing

What to consider before installing or running this skill: - Missing action runner: The skill advertises an action runner (clickmap-actions.ps1) and autostart scripts, but those files aren't included. Ask the publisher for the missing scripts or supply your own before relying on the skill for automated click/type flows. - Local bridge CORS and default auth: The included bridge (scripts/bridge-server.js) listens on 127.0.0.1 and, by default, has no token. It sets Access-Control-Allow-Origin: * so any web page can read or write the POI data if the bridge is running without a token. If you run the bridge, set the CLICKMAP_TOKEN environment variable (and configure the extension to use it) to avoid leaving POIs accessible to arbitrary sites. - Undeclared env vars: The package metadata declares no required env vars, but the bridge reads CLICKMAP_PORT and CLICKMAP_TOKEN. If you run the bridge, set CLICKMAP_TOKEN to a strong secret and consider changing the port if you have multiple local services. - Data sensitivity: The supplied data/pois.json already contains POIs for login fields (e.g., PASSWORD_BOX). POIs may encode coordinates/selectors for sensitive UI elements; treat saved POIs as sensitive data and avoid running the bridge without a token. - Source provenance: The skill's source and homepage are unknown. Consider running the Node bridge only from a controlled environment, inspect or replace the missing action scripts before use, and avoid enabling any autostart/install scripts until you can review them. If you want, I can list the exact lines that implement the bridge API and where to change the code to require auth/CORS restrictions, or help you create a safe clickmap-actions.ps1 stub to match the advertised behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk976sryhwc608s4kqmhb8qgcs5828b06

362downloads

0stars

3versions

Updated 1mo ago

v1.0.2

MIT-0

ClickMap

Make flaky web automation stable: save named points once, then click/type by name every time.

Why people use this

Stops brittle selector/DOM failures in UI automation flows
Reuses human-readable names instead of random coordinates
Great for repeat tasks: click target → type text → submit

Resources

Extension folder: assets/chrome-extension/
Local bridge: scripts/bridge-server.js
Optional launcher: scripts/start-bridge.cmd
Autostart installer: scripts/install-autostart.ps1
Action runner: scripts/clickmap-actions.ps1
Data file: data/pois.json

Capture flow (user)

Load unpacked extension from assets/chrome-extension.
Start bridge (node scripts/bridge-server.js or start-bridge.cmd).
- Optional: powershell -ExecutionPolicy Bypass -File scripts/install-autostart.ps1 -RunNow to keep bridge auto-running after reload/login.
Open target page (example: https://suno.com/create).
Toggle marking ON from popup.
Hover mouse at exact pixel and press P to add point.
Native prompt opens: enter POI name and save.
Press D while hovering near a point to delete nearest saved POI.
Bright pink dots show saved points on that page.

POIs auto-sync to bridge when possible. Use popup Sync POIs if needed.

Agent action commands (no desktop-control)

Always use the ClickMap action runner for clicks/types:

# List points
powershell -ExecutionPolicy Bypass -File "$HOME/.openclaw/workspace/skills/clickmap/scripts/clickmap-actions.ps1" -Action list

# Click saved point exactly (screen coords)
powershell -ExecutionPolicy Bypass -File "$HOME/.openclaw/workspace/skills/clickmap/scripts/clickmap-actions.ps1" -Action click -PoiName "suno_com.LyricsBox"

# Type text into focused field (paste mode by default)
powershell -ExecutionPolicy Bypass -File "$HOME/.openclaw/workspace/skills/clickmap/scripts/clickmap-actions.ps1" -Action type -Text "hello world" -ClearFirst

# Click then type in one call
powershell -ExecutionPolicy Bypass -File "$HOME/.openclaw/workspace/skills/clickmap/scripts/clickmap-actions.ps1" -Action click-type -PoiName "suno_com.songName" -Text "Still Learning My Name (Remix)" -ClearFirst

Notes

Best results come from POIs that include coords.screen (new captures do this automatically).
If an old POI misses screen coords, just re-save it once.
Use clear names (example: suno_com.StylesBox) so automations stay readable.
The bridge runs locally on your machine (localhost only).

Comments

Loading comments...