Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Camoufox Stealth Browser
v1.0.0C++ level anti-bot browser automation using Camoufox (patched Firefox) in isolated containers. Bypasses Cloudflare Turnstile, Datadome, Airbnb, Yelp. Superior to Chrome-based solutions (undetected-chromedriver, puppeteer-stealth) which only patch at JS level. Use when standard Playwright/Selenium gets blocked.
⭐ 1· 2.1k·5 current·6 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description match the included scripts and docs: scripts implement Camoufox-based browser fetch, session management, and a TLS‑spoofing API client. Required binary (distrobox) is used throughout. No unrelated credentials or surprising system access are requested.
Instruction Scope
SKILL.md and scripts stay within the stated scope: they run commands inside a distrobox container, manage profiles under ~/.stealth-browser, import/export cookies, and accept proxy settings. The instructions do not attempt to read unrelated system config, other skills' tokens, or hidden endpoints.
Install Mechanism
There is no formal install spec in the registry, but scripts/setup.sh instructs pip installing 'camoufox' and running camoufox.install(), which will download a ~700MB browser binary at first run. The provenance and download URLs for that binary are not surfaced here — this is the primary risk (unverified external binaries pulled at runtime).
Credentials
The skill declares no required env vars or credentials. Proxy credentials may be supplied to scripts (CLI or environment) and that is proportional to the task. No unrelated secret or cloud credentials are requested.
Persistence & Privilege
The skill does write persistent profile data to ~/.stealth-browser/profiles (with 0700) to support sessions — that's reasonable for browser profiles. always=false. Note: the agent can invoke the skill autonomously (platform default); combined with a capability that evades anti-bot protections this increases potential for misuse, but autonomy alone is not a coherence problem.
Assessment
This skill appears coherent with its stated purpose, but take these precautions before installing or running it:
- Verify the camoufox package provenance: inspect the camoufox project (PyPI/GitHub) and, if possible, review camoufox.install() to see where it downloads the ~700MB browser and whether checksums are used. Unknown binary downloads are the main risk.
- Run setup and first use inside an isolated VM/container (distrobox is recommended by the skill) and avoid running on sensitive hosts.
- Treat proxy credentials carefully: prefer storing them in a file with restricted permissions or in a secrets manager, not on shared command lines or logs.
- Audit the pip packages (camoufox, curl_cffi) before installing; consider pinning versions and verifying package signatures if available.
- Be aware of legal and policy implications of using tools designed to bypass anti-bot protections; ensure your usage complies with site terms and applicable law.
If you want higher confidence: provide the camoufox package details (PyPI/GitHub URL, camoufox.install() implementation or the downloaded binary URL and checksum); that would let a reviewer confirm the download source and integrity and raise confidence to high.Like a lobster shell, security has layers — review code before you run it.
latestvk973ctxd1sz6rb0fby5jyn0cc980d6gx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🦊 Clawdis
Binsdistrobox