CamoFox MCP
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: camofox-mcp Version: 1.10.0 The skill is classified as suspicious primarily due to its reliance on `npx camofox-mcp@1.10.0` in `setup.sh` and `SKILL.md` for installation and execution. This command downloads and runs an external package from npm, posing a significant supply chain risk if the `camofox-mcp` package were compromised or malicious. Additionally, the `camofox_evaluate_js` tool allows arbitrary JavaScript execution within the browser, a powerful capability that could be exploited if the AI agent processes untrusted input, leading to potential client-side vulnerabilities or data leakage.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could automate websites in ways that evade their defenses and perform broad actions such as clicking, form submission, scraping, or downloading without enough built-in boundaries.
The skill explicitly advertises anti-detection behavior aimed at bypassing site bot protections, and pairs it with tools for navigation, clicking, typing, extraction, downloads, and batch workflows.
Most browser automation flows eventually hit CAPTCHAs, fingerprint checks, or bot detection... Anti-detection fingerprinting per tab/session... without the high block rates common with standard automation stacks.
Use only on sites and accounts where you have permission, require explicit approval before logins, form submissions, batch clicks, downloads, or scraping, and define allowed domains and task limits.
If an agent uses or saves session cookies, it may act as the logged-in user across websites and future tasks.
Cookies and saved profiles can grant authenticated account access. The artifacts do not clearly bound which accounts may be used, how profiles are stored, or when the user must approve reuse.
Session persistence via cookie/profile tools... import_cookies: Import cookies for authenticated sessions... save_profile: Save tab cookies to a named profile... load_profile: Load saved profile cookies into a tab.
Use dedicated low-privilege browser profiles, avoid importing sensitive cookies, delete saved profiles when finished, and require user confirmation before using authenticated sessions.
Installing or launching the skill may run code that was not present in the reviewed package, and that code controls browser automation and sessions.
The launcher executes an external npm package at runtime. The reviewed artifacts do not include the MCP server source that implements the high-impact browser, cookie, and download tools.
CAMOFOX_TRANSPORT=http npx camofox-mcp@1.10.0
Inspect the npm package and repository before running, pin and verify the package source where possible, and run it in a sandboxed environment.
A mistaken or overbroad instruction could cause the agent to run page scripts that read or alter page state beyond the intended task.
JavaScript execution is purpose-aligned for browser automation, but it gives the agent a raw code-execution capability inside pages.
camofox_evaluate_js
description: Execute JavaScript in isolated page context.Allow JavaScript evaluation only for clearly scoped tasks and review the target page and script purpose before execution.
If the MCP endpoint is exposed beyond the local machine, another client could potentially control the browser session or access page/download data.
The skill exposes browser automation over an HTTP MCP endpoint. Defaults shown are localhost, but the artifacts also mention remote-compatible clients and do not require authentication metadata.
Native HTTP MCP endpoint for OpenClaw and remote MCP-compatible clients
Keep the MCP server bound to localhost, use an API key or other access control if remote access is enabled, and do not expose it on untrusted networks.