ClawHub

Camoufox Stealth Browser

v1.0.0

C++ level anti-bot browser automation using Camoufox (patched Firefox) in isolated containers. Bypasses Cloudflare Turnstile, Datadome, Airbnb, Yelp. Superior to Chrome-based solutions (undetected-chromedriver, puppeteer-stealth) which only patch at JS level. Use when standard Playwright/Selenium gets blocked.

1· 2.1k·2 current·2 all-time
by@kesslerio
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the included Python scripts (camoufox-fetch, camoufox-session, curl-api) and the declared runtime dependency (distrobox) is consistent with containerized execution. However the skill relies on third‑party Python packages (camoufox, curl_cffi) that are not part of the registry metadata and that will pull a large compiled browser at first run — this is expected for the stated purpose but raises provenance concerns.
!
Instruction Scope
SKILL.md and scripts instruct the agent to run distrobox-enter with python3.14, pip install packages, run camoufox.install(), and use residential proxies; they also reference environment variables (HTTP_PROXY/HTTPS_PROXY) and recommend embedding proxy credentials (http://user:pass@host:port). The skill's declared requires.env is empty, so the instructions reference env/config and proxy credentials not declared in metadata. The scripts accept proxy credentials on the command line (risk: shell history leakage) and write session/profile data to ~/.stealth-browser — actions that extend beyond a purely ephemeral, read-only skill.
!
Install Mechanism
There is no registry install spec; instead setup.sh uses pip to install camoufox and curl_cffi inside the pybox container and then calls camoufox.install(), which the documentation says downloads a ~700MB Firefox fork. That is effectively a remote binary download from an external project (origin not declared here). Although execution is intended inside a container (reducing host exposure), downloading and running an opaque compiled browser package is higher-risk and the registry package provides no provenance or release URL to audit.
!
Credentials
requires.env is empty but the documentation and references recommend setting HTTP_PROXY/HTTPS_PROXY and the scripts accept proxy URLs containing username:password. The skill does not declare or request these credentials in metadata, creating a mismatch between what it asks you to configure and what the registry shows. Also, proxy credentials are passed in CLI strings (and could be recorded in shell history) instead of recommending secure secret management.
Persistence & Privilege
always:false and no special platform privileges are requested. The code does persist user data: it creates ~/.stealth-browser/profiles, stores user_data_dir and cookies (export/import), and sets file permissions. That is reasonable for a session manager, but it does create persistent artifacts in the user's home which may contain cookies or other session data.
What to consider before installing
This skill appears to implement what it claims (a containerized, Firefox-fork based stealth browser) but has several red flags you should consider before installing or running it: 1) provenance: the camoufox package will download a large compiled Firefox fork (~700MB) from external sources — verify the package origin, inspect its install code, and prefer running in an isolated VM if you proceed; 2) undeclared env usage: the README/SKILL.md refer to HTTP_PROXY/HTTPS_PROXY and proxy credentials but the skill metadata doesn't declare these — treat any credentials you pass carefully (avoid putting secrets in command lines or shell history); 3) persistence: the tool stores profiles and cookies under ~/.stealth-browser — review and remove these artifacts if you stop using the skill; 4) legal/ethical: this tool is explicitly designed to bypass anti-bot protections — ensure you have permission to access/automate the target sites; 5) safer testing: if you want to try it, run the setup/install in an ephemeral VM or isolated container, inspect what camoufox.install() downloads, and review the camoufox package source on PyPI/GitHub before trusting the binary. If you need, I can list exact lines in the code that perform the downloads, proxy parsing, cookie saves, and where secrets may leak to help you audit further.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b3n6yn3rbnvfqnefmtyprq180cy38

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🦊 Clawdis
Binsdistrobox

Comments