ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Camoufox Tools

v1.0.0

Simplified CLI tools for camoufox anti-detection browser automation. Provides fox-open, fox-scrape, fox-eval, fox-close, and fox-bilibili-stats commands for...

0· 689·4 current·4 all-time
by@adastraabyssoque
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md promises commands (fox-open, fox-scrape, fox-eval, fox-close, fox-bilibili-stats) and 'one‑click install', but the archive only includes SKILL.md and an install.sh; there are no fox-* executables or scripts in the bundle. The installer simply adds $SKILL_DIR/bin to PATH and lists any executables found there. This is inconsistent: a user would reasonably expect the package to provide the mentioned CLI tools or to document where they come from.
Instruction Scope
Runtime instructions are limited to running the provided install.sh, optionally setting CAMOUFOX_PATH, and using the described commands. The SKILL.md references external dependencies (camoufox, agent-browser, openclaw CLI) which are outside this package — that is acceptable but should be explicit. There are no instructions that read unrelated system files or exfiltrate data. The stated use (anti-detection scraping) has legal/ethical implications but does not by itself indicate technical incoherence.
Install Mechanism
There is no formal install spec; install.sh is the only installer and it does not download or extract remote code. It modifies the user's shell RC (appending export PATH lines) which is a persistent change; this is expected for CLI tooling but should be visible to the user. Because no code is downloaded, install risk is lower, but the absence of the actual CLI scripts means the installer as provided is incomplete.
Credentials
The skill requests no environment variables or credentials. SKILL.md documents an optional CAMOUFOX_PATH env var (reasonable and optional). No secrets or unrelated credentials are requested.
Persistence & Privilege
The installer appends an export line to the user's shell RC to persist the PATH change — a modest persistence action but not unusual for CLI tool installs. The skill is not marked always:true and does not request elevated privileges or modify other skills' configs.
What to consider before installing
Do not install yet. The package advertises fox-* CLI tools but does not include those executables — this could be an incomplete upload or an attempt to rely on external fetchers not shown here. Before proceeding: (1) ask the publisher where the fox-* scripts/binaries are or request a complete package; (2) inspect any fox-* scripts that will be placed in the bin directory before adding them to your PATH; (3) note the installer will append to your shell RC — back up that file first; (4) be aware the tool is for anti-detection scraping (may violate site terms or laws); (5) if the publisher says the CLI is downloaded at runtime, request the download URLs and verify they are from trusted release hosts (GitHub releases or an official domain) before allowing execution.

Like a lobster shell, security has layers — review code before you run it.

latestvk971sqwahs0a632h5k5hq6h9nh822bf1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments