MoreLogin

v1.0.3

Manage MoreLogin anti-detect browser profiles and cloud phones through the official Local API (http://127.0.0.1:40000), including browser profile lifecycle,...

⭐ 0· 402·0 current·0 all-time

byMoreLogin Antidetect Browser@moreloginbrowser

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

Name/description match the implemented artifacts: a Node CLI that calls the MoreLogin Local API on localhost and exposes browser profile, cloud phone, proxy/group/tag management. Declared requirements (node, adb) and the brew install of android-platform-tools are appropriate for ADB-related features. Minor documentation inconsistencies exist (some docs mention port 5050 while SKILL.md/README-OFFICIAL-API use 40000), but this looks like stale docs rather than malicious mismatch.

ℹ

Instruction Scope

SKILL.md and the included docs constrain operations to the MoreLogin Local API (localhost) and describe expected flows (start/status/close, cloudphone info/ADB metadata, CDP connections). The instructions do not direct reading of unrelated host files or exfiltration. Notes: several docs/INSTALL.md suggest optional local config steps (TOOLS.md, optional env vars like MORELOGIN_API_URL/MORELOGIN_TOKEN) and include examples that mention ADB commands — review these optional steps to avoid accidentally persisting tokens in repo/config files.

ℹ

Install Mechanism

Install steps are npm install for the CLI and a Homebrew formula for adb (android-platform-tools). These are standard for a Node-based CLI that interacts with local devices. Caveat: npm install will pull devDependencies listed (playwright, puppeteer-core) which are large and may download additional browser artifacts; consider installing with production mode or pruning dev deps if you want a minimal footprint.

✓

Credentials

The skill does not require secrets or external service credentials to operate; required binaries (node, adb) match the feature set. Some docs show optional env vars and advise storing an API token in config (user-provided), but these are optional and not declared as required. No unrelated credential names or excessive env access are requested.

✓

Persistence & Privilege

Skill is not force-included (always: false) and does not declare system-wide modifications. It provides a CLI and examples that run on demand; nothing in the repo indicates it will persistently modify other skills or global agent settings.

Assessment

This skill appears to do what it claims: a local CLI to control MoreLogin's Local API. Before installing, confirm you want to run a Node CLI that will: (1) call http://127.0.0.1:40000 (local only) to manage profiles/cloud phones, (2) install Node packages (npm install) which by default will also download devDependencies like Playwright/puppeteer that are large, and (3) optionally use adb (the brew formula installs android-platform-tools). Recommended precautions: run npm install with NODE_ENV=production or remove devDependencies if you only need the CLI; review bin/morelogin.js and common helpers if you want to be sure of specific network calls; do not commit any API tokens or MORELOGIN_TOKEN into repositories—store them in your secret manager if needed; verify the MoreLogin local API port on your system (docs show 40000 in some places and 5050 in others) and ensure MoreLogin desktop is the expected version. If you need a stricter footprint, consider running the CLI in an isolated environment (container or VM) and audit network access during use.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🌐 Clawdis

Binsnode, adb

Install

Install ADB (Android Debug Bridge)

Bins: adb

brew install android-platform-tools

latestvk97a163bbcsmd534jtdv36w9p1822zh4

402downloads

0stars

4versions

Updated 1mo ago

v1.0.3

MIT-0

MoreLogin Local API Skill

Manage browser profiles and cloud phones via MoreLogin official Local API, supporting full lifecycle control, automation connections (CDP/ADB), and resource management (proxy/group/tag/app/file).

Official Sources

Local API documentation: https://guide.morelogin.com/api-reference/local-api
Base URL: http://127.0.0.1:40000
Requirements: MoreLogin Desktop v2.15.0+, logged-in local account

Trigger Scenarios

Prefer this Skill when:

User mentions MoreLogin, envId, uniqueId, cloudphone
Creating/starting/closing browser profiles
Refreshing fingerprints, clearing cache, or deleting profiles
Cloud phone power on/off, ADB, app management, file upload
API management of proxy, groups, tags

Pre-flight Checklist

Before any operation:

Confirm MoreLogin desktop app is running and logged in.
Confirm API is reachable: http://127.0.0.1:40000.
Confirm requests originate from localhost (Local API does not support remote access).
For cloud phone command execution, confirm ADB is available (adb installed).

Execution Principles

Treat local-api.yaml + API-CONTRACT.md as the canonical parameter source before constructing payloads.
Do not infer field names from memory; verify required keys/types first (especially id vs ids, object vs array bodies).
Use POST by default (except tag query GET /api/envtag/all).
Uniform request header: Content-Type: application/json.
Check code first: 0 means success, non-zero use msg for error handling.
Prefer envId for resource lookup; fall back to uniqueId when missing (browser profiles).
For batch endpoints (/batch), always pass arrays and record changed objects.

API Capability Mapping

Browser Profile

Endpoint	Purpose
`POST /api/env/create/quick`	Quick create profile
`POST /api/env/create/advanced`	Advanced create (full fingerprint params)
`POST /api/env/fingerprint/refresh`	Refresh device fingerprint
`POST /api/env/start`	Start profile and return debug info
`POST /api/env/close`	Close running profile
`POST /api/env/status`	Get run status and debug info
`POST /api/env/page`	Paginated profile list
`POST /api/env/detail`	Get single profile detail
`POST /api/env/removeLocalCache`	Clear local cache (cookies/localStorage etc.)
`POST /api/env/removeToRecycleBin/batch`	Batch delete to recycle bin

Cloud Phone

Endpoint	Purpose
`POST /api/cloudphone/create`	Create cloud phone
`POST /api/cloudphone/powerOn`	Power on
`POST /api/cloudphone/powerOff`	Power off
`POST /api/cloudphone/page`	Paginated list
`POST /api/cloudphone/info`	Get detail (including ADB info)
`POST /api/cloudphone/edit/batch`	Batch edit config
`POST /api/cloudphone/delete/batch`	Batch delete
`POST /api/cloudphone/newMachine`	One-click new device
`POST /api/cloudphone/updateAdb`	Enable/disable ADB

Cloud Phone File & App

Endpoint	Purpose
`POST /api/cloudphone/uploadFile`	Upload file to cloud phone
`POST /api/cloudphone/uploadUrl`	Query upload status
`POST /api/cloudphone/setKeyBox`	Set Keybox
`POST /api/cloudphone/app/install`	Install app
`POST /api/cloudphone/app/page`	Query app market list
`POST /api/cloudphone/app/installedList`	Query installed apps
`POST /api/cloudphone/app/start`	Start app
`POST /api/cloudphone/app/restart`	Restart app
`POST /api/cloudphone/app/stop`	Stop app
`POST /api/cloudphone/app/uninstall`	Uninstall app

Proxy / Group / Tag

Endpoint	Purpose
`POST /api/proxyInfo/page`	Query proxy list
`POST /api/proxyInfo/add`	Add proxy
`POST /api/proxyInfo/update`	Update proxy
`POST /api/proxyInfo/delete`	Delete proxy
`POST /api/envgroup/page`	Query groups
`POST /api/envgroup/create`	Create group
`POST /api/envgroup/edit`	Edit group
`POST /api/envgroup/delete`	Delete group
`GET /api/envtag/all`	Get all tags
`POST /api/envtag/create`	Create tag
`POST /api/envtag/edit`	Edit tag
`POST /api/envtag/delete`	Delete tag

Standard Workflows

Workflow A: Browser Profile Automation

Get envId from create/quick or page.
Call start to launch the profile.
Call status to verify run state and debugPort.
Use CDP (Puppeteer/Playwright) for automation.
Call close when done.

Workflow B: Cloud Phone Automation

Call page or create to obtain cloud phone id.
Call powerOn to start.
Call info to get ADB connection params.
Call updateAdb when needed to enable ADB.
Run supported cloud phone management endpoints only (no direct command execution).
Call powerOff when done.

Quick Examples (Official API)

# 1) Quick create browser profile
curl -X POST "http://127.0.0.1:40000/api/env/create/quick" \
  -H "Content-Type: application/json" \
  -d '{"browserTypeId":1,"operatorSystemId":1,"quantity":1}'

# 2) Start profile
curl -X POST "http://127.0.0.1:40000/api/env/start" \
  -H "Content-Type: application/json" \
  -d '{"envId":"<envId>"}'

# 3) Cloud phone power on
curl -X POST "http://127.0.0.1:40000/api/cloudphone/powerOn" \
  -H "Content-Type: application/json" \
  -d '{"id":"<cloudPhoneId>"}'

# 4) Query cloud phone detail (including ADB info)
curl -X POST "http://127.0.0.1:40000/api/cloudphone/info" \
  -H "Content-Type: application/json" \
  -d '{"id":"<cloudPhoneId>"}'

CLI Usage (This Project)

Prefer project-wrapped commands; fall back to curl when needed:

Entry equivalence note: openclaw morelogin ... and node bin/morelogin.js ... are fully equivalent (same arguments, same behavior, same exit code). Use either one based on your runtime environment.

# Browser profile
openclaw morelogin browser list
openclaw morelogin browser start --env-id <envId>
openclaw morelogin browser status --env-id <envId>
openclaw morelogin browser close --env-id <envId>

# Cloud phone
openclaw morelogin cloudphone list
openclaw morelogin cloudphone start --id <cloudPhoneId>
openclaw morelogin cloudphone info --id <cloudPhoneId>

## Response & Error Handling

Parse responses with the following structure:

```json
{
  "code": 0,
  "msg": null,
  "data": {},
  "requestId": "..."
}

Handling rules:

code == 0: Proceed, extract data.
code != 0: Output msg, mark failed step, suggest next fix.
For start/powerOn operations, call status/info again before subsequent steps to confirm.

Security & Limits

Local API listens on localhost only; no remote access.
Can be called only when MoreLogin account is logged in.
Do not expose account, proxy passwords, ADB keys, or other sensitive data in logs or code.
Double-check target ID lists before batch delete, cache clear, or app uninstall.

Security Notice

This skill no longer provides local ADB/SSH connection methods (adb-connect, adb-disconnect, adb-devices).

Command execution safeguards:

Restricted to local automation context (localhost workflows and local API).
Remote cloud phone exec is disabled by default and must be explicitly enabled.
exec command content is validated against a safe allowlist and blocks shell metacharacters.
Generic api passthrough is endpoint-allowlisted by default.

When Not to Use This Skill

MoreLogin is not installed, not running, or not logged in.
Requirements are for regular browser automation (no MoreLogin environment isolation).
Requirements depend on remote access to Local API over the network.

Related Files

bin/morelogin.js
lib/api.js
local-api.yaml
API-CONTRACT.md
README-OFFICIAL-API.md

Comments

Loading comments...