Dolphin Anty

Type: OpenClaw Skill Name: dolphin-anty Version: 1.0.0 The skill is classified as suspicious due to a critical Remote Code Execution (RCE) vulnerability. The `scripts/dolphin_automate.js` file includes a `taskCustom` function that directly executes arbitrary JavaScript code (`page.evaluate(code)`) provided via the `--code` command-line argument. This allows an attacker to achieve RCE within the browser context if the AI agent passes unsanitized user input to this argument, potentially leading to data exfiltration or unauthorized actions. The `SKILL.md` explicitly describes this capability as 'Execute arbitrary JavaScript code on the page', indicating it's an intended but highly risky feature. Additionally, the skill stores an API token in a local plaintext file (`.token`), which is a minor vulnerability.