holiday-enough

Type: OpenClaw Skill Name: holiday-enough Version: 1.0.0 The skill bundle implements a powerful Chrome DevTools Protocol (CDP) proxy (`scripts/cdp-proxy.mjs`) that allows the AI agent to control the user's local browser. While the stated purpose is scraping travel guides from Xiaohongshu, the proxy includes high-risk capabilities such as executing arbitrary JavaScript (`/eval`), taking screenshots and saving them to arbitrary local paths (`/screenshot`), and uploading local files to the browser (`/setFiles`). These features provide a significant attack surface for local file manipulation and sensitive data access (e.g., session cookies) if the agent is targeted by prompt injection, although no explicit malicious intent or data exfiltration logic was identified in the current code.