ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Camofox Browser Remote

v1.0.2

Remote-mode anti-detection browser automation using Camoufox (Firefox fork with C++ fingerprint spoofing). Requires CAMOFOX_URL pointing to an externally-man...

0· 123·0 current·0 all-time
by@kuo77122

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for kuo77122/camofox-browser-remote.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Camofox Browser Remote" (kuo77122/camofox-browser-remote) from ClawHub.
Skill page: https://clawhub.ai/kuo77122/camofox-browser-remote
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install kuo77122/camofox-browser-remote

ClawHub CLI

Package manager switcher

npx clawhub@latest install camofox-browser-remote
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md and included scripts clearly require a CAMOFOX_URL (and optionally CAMOFOX_SESSION / HTTPS_PROXY), write state to /tmp, and drive an external browser over HTTP. But the registry metadata lists no required environment variables or primary credential — that is inconsistent. The code files and templates are consistent with the stated purpose (remote-mode browser automation), so the main coherence problem is the missing CAMOFOX_URL declaration in the metadata.
!
Instruction Scope
Runtime instructions and the script send snapshots, screenshots, typed text, tab IDs and navigation history to whatever CAMOFOX_URL is set to (via curl). The SKILL.md warns users to only point at a server they control, which is appropriate, but this behavior means pointing CAMOFOX_URL at an attacker-controlled host would exfiltrate sensitive browsing data. The scripts also read/write local state files (/tmp/camofox-state and /tmp/camofox-screenshots) and reference local paths in templates (e.g., $HOME/.claude/skills...), which is expected for this tool.
Install Mechanism
There is no install spec; the skill is instruction/script-based and runs local bash/python3/curl commands already present on the host. That is low-risk compared to downloading and executing remote archives. The bundle does include executable scripts and templates that will be run locally if invoked.
!
Credentials
The runtime requires CAMOFOX_URL (mandatory), CAMOFOX_SESSION (optional) and optionally HTTPS_PROXY, but the registry metadata omitted these requirements. No cloud credentials are requested (good), however the required CAMOFOX_URL grants the remote server full visibility into snapshots, screenshots, typed data and navigation — a high-sensitivity capability that must be justified and limited. The mismatch between declared and actual env requirements is unexpected and should be corrected.
Persistence & Privilege
The skill does not request always:true and is user-invocable; autonomous invocation is allowed by default. The script stores transient state and screenshots under /tmp which is normal for this use case. Because the agent can invoke skills autonomously, a compromised or malicious CAMOFOX_URL could be abused at runtime — but autonomous invocation alone is not a disqualifying issue.
What to consider before installing
Key things to consider before installing: (1) The SKILL.md requires CAMOFOX_URL but the registry metadata does not list any required env vars — ask the publisher to correct that. (2) This skill will send page snapshots, screenshots, typed text and navigation metadata to whatever CAMOFOX_URL you set — only point it at a server you control/trust (run your own Camofox container locally or in an isolated network). (3) Do not set CAMOFOX_URL to a third‑party or unknown endpoint if you will interact with credentials, personal data, or corporate sites. (4) Review scripts (scripts/camofox-remote.sh and templates) before aliasing or running them; they use curl and python3 to POST/GET data and write files to /tmp. (5) If you need to allow this skill to run autonomously, restrict network egress or run the agent in an environment where CAMOFOX_URL can only reach your controlled Camofox instance. (6) If the publisher cannot justify the metadata mismatch, treat the skill as untrusted until corrected.

Like a lobster shell, security has layers — review code before you run it.

latestvk970radtdxxdrg3t4jet1nkbhs85aawj
123downloads
0stars
3versions
Updated 5d ago
v1.0.2
MIT-0
@kuo77122
latest
Download

Camofox Browser — Remote Mode (Docker / Shared Server)

Stealth browser automation via Camoufox. Drives an externally-managed server over HTTP — no install, no local Node process.

Setup (required)

export CAMOFOX_URL=http://172.17.0.1:9377   # required — no default

The server runs externally (Docker container, shared staging, CI). This skill only drives it. See references/docker.md for Docker networking details.

If camofox-remote is not found on PATH: set an alias using the script that ships with this skill. Replace <SKILL_DIR> with the directory containing this SKILL.md file:

alias camofox-remote="bash <SKILL_DIR>/scripts/camofox-remote.sh"

Example: if this SKILL.md is at ~/my-skills/camofox-browser-remote/SKILL.md, use ~/my-skills/camofox-browser-remote.

Trust requirement: Every command — page snapshots, screenshots, typed text, navigation history — is sent over HTTP to CAMOFOX_URL. Only point this at a server you own and control. Do not use a shared or third-party endpoint if you will visit sites with credentials or sensitive data.

Quick Start

camofox-remote open https://example.com      # Create tab + navigate
camofox-remote snapshot                      # Get page elements with @refs
camofox-remote click @e1                     # Click element
camofox-remote type @e2 "hello"              # Type text
camofox-remote screenshot                    # Save PNG
camofox-remote close                         # Close tab

Core Workflow

  1. Navigatecamofox-remote open <url>
  2. Snapshot — returns an accessibility tree with @e1, @e2 refs (~90% smaller than raw HTML)
  3. Interact — use refs to click, type, scroll
  4. Re-snapshot — after any DOM change, refs are invalidated; get fresh ones
  5. Repeat — the server stays running between commands
camofox-remote open https://example.com/search
camofox-remote snapshot
# @e1 [input] Search box  @e2 [button] Submit
camofox-remote type @e1 "camoufox anti-detection"
camofox-remote click @e2
camofox-remote snapshot                      # MUST re-snapshot after navigation

Commands (at a glance)

CategoryCommands
Serverhealth, start (no-op — manage container externally), stop (no-op — manage container externally)
Navigationopen <url>, navigate <url>, back, forward, refresh, scroll [down|up|left|right]
Page statesnapshot, screenshot [path], tabs, links
Interactionclick @eN, type @eN "text"
Searchsearch google "query" (13 macros — see references/macros.md)
Session--session <name> <cmd>, close, close-all

Full reference with curl equivalents: references/commands.md.

Ref Lifecycle (critical)

Refs (@e1, @e2) are invalidated whenever the DOM changes. Always re-snapshot after:

  • Clicking links/buttons that navigate
  • Form submissions
  • Dynamic content loads (infinite scroll, SPA route change)

Environment Variables

VariableDefaultMeaning
CAMOFOX_URLREQUIREDRemote base URL — e.g. http://172.17.0.1:9377. No default.
CAMOFOX_SESSIONdefaultDefault session name (isolated cookies/storage)
HTTPS_PROXY(unset)Outbound proxy for the browser

When to Use camofox-browser-remote vs agent-browser

ScenarioTool
Normal websites, no bot detectionagent-browser (faster)
Cloudflare / Akamai protectedcamofox-browser-remote
Sites that block Chromium automationcamofox-browser-remote
Need anti-fingerprintingcamofox-browser-remote
Need iOS / mobile simulationagent-browser
Need video recordingagent-browser

Deep-Dive References

FileLoad when
references/docker.mdDocker setup, networking, compose example, CAMOFOX_URL configuration
references/commands.mdNeed exact args, output format, or curl equivalent of any command
references/api-reference.mdCalling an endpoint the wrapper doesn't expose
references/macros.mdUsing search macros (@google_search, etc.)
references/troubleshooting.mdDebugging failures (connect refused, stale refs, empty snapshots)

Ready-to-Use Templates

FileDescription
templates/stealth-scrape.shFull anti-detection scrape (screenshot + snapshot + links)
templates/multi-session.shParallel URLs in isolated sessions

Cleanup

Always close when done:

camofox-remote close-all
camofox-remote stop    # no-op in remote mode; manage the container externally

Comments

Loading comments...