ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Fox Camoufox

v1.0.0

Anti-detect browser automation using Camoufox (Firefox-based). Use instead of Chrome/Playwright for bot-detection-heavy sites like X/Twitter, Naver, and othe...

0· 45·2 current·2 all-time
byGarfieldQin@qinthqod·fork of @goodgoodjm/camoufox (1.0.0)
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and the included scripts (browse.py, login_session.py, setup.sh) align with an anti-detect Firefox-based automation tool: persistent profile, humanized input, VNC/Xvfb usage, and a pip-installable 'camoufox' package are all expected for this purpose.
Instruction Scope
Runtime instructions are focused on using Camoufox and managing profiles; they ask you to run setup.sh, activate a venv, use xvfb or VNC, and store a profile under ~/.openclaw/camoufox-profile. This is consistent with persistent session automation, but note the profile will contain cookies/session state (sensitive data) and manual VNC login is part of the workflow.
!
Install Mechanism
setup.sh downloads and installs dependencies from the system package manager (sudo apt install) and runs 'pip install camoufox' inside a venv without a pinned/versioned release or an explicit trusted source. Installing an unpinned PyPI package and running apt with sudo are moderate-to-high supply-chain risks because they execute external code and require elevated privileges.
Credentials
The skill requests no special environment variables or external credentials, which is proportional. However, it creates and uses a persistent profile directory in the user's home that will store cookies and session tokens — expected for persistence but sensitive. The setup script optionally uses CAMOUFOX_VENV and CAMOUFOX_PROFILE environment overrides.
Persistence & Privilege
The skill does not demand permanent platform privileges (always:false) nor modify other skills. The notable privilege requirement is that setup.sh may invoke sudo to install system packages (apt) — so installing requires administrator privileges on the host, increasing risk if you do this on a machine with sensitive data.
What to consider before installing
This package appears to be what it claims (an anti-detection Firefox automation wrapper), but exercise caution before running setup.sh: 1) Inspect the 'camoufox' PyPI package (and its homepage/repository) before installing — unknown/unpinned packages can run arbitrary code. 2) Prefer installing in an isolated environment (ephemeral VM/container) rather than your primary host, since setup.sh may call sudo apt. 3) Consider pinning a known-good package version and reviewing the package source (or vendor-supplied repo) for malicious code. 4) Be aware that the profile directory stores cookies and sessions — don't reuse it for sensitive accounts. If you can't verify the origin of 'camoufox' or its author, treat installation as high risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk9798pfj85kt8rn7qh5hx7cth583s396

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments