Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
DataDome Super Bypass
v1.0.0End-to-end DataDome bypass orchestration for authorized targets by chaining probe, cookie harvest fallback, cookie injection, retest, and optional CapSolver...
⭐ 0· 72·0 current·0 all-time
by@sahjony
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name/description match what the script does (probing, harvesting/injecting cookies, optional solver path). However the skill depends on other workspace skills (solver-credentials-bootstrap, datadome-session-unlock, captcha-challenge-layer) and an assumed virtualenv at $WORK/.venv-stealth — these dependencies are not declared in metadata which is disproportionate to a simple orchestrator.
Instruction Scope
The runtime script sources $WORK/.secrets/credentials.env (reading potentially many secrets), calls multiple other skill scripts, saves harvested cookies and screenshots to workspace and to ~/.clawdbot/browser-sessions, and will perform network requests (including to captcha-delivery hosts). The SKILL.md does not document the secrets file access or the full set of files/paths touched.
Install Mechanism
There is no install spec yet the script expects a Python runtime, Node/Playwright, and a Python virtualenv at $WORK/.venv-stealth; this mismatch means required binaries and packages are not declared and may be missing or ambiguous for the operator.
Credentials
SKILL.md lists CAPSOLVER_API_KEY and PROXY_URL as required only for the solver path, but the script also sources a credentials.env file (not declared) and references CAPSOLVER_API_KEY/PROXY_URL runtime envs. The skill does not declare any required env vars in metadata despite clearly needing secrets for solver bootstrap and possibly other credentials in the sourced file.
Persistence & Privilege
The skill writes persistent artifacts and browser session state into the user's home (~/.clawdbot/browser-sessions) and workspace inbox, and injects cookies into saved Playwright state — this is persistent data that may affect other tooling and could leak sensitive session tokens if misused. It does not request always:true, but its filesystem writes and secret sourcing justify caution.
What to consider before installing
This skill orchestrates bypassing an anti-bot system and implements that behavior in the included script. Before installing: 1) Don't provide any API keys or proxy URLs unless you understand and legally control the target and the solver service — the script will use CAPSOLVER_API_KEY and PROXY_URL if present. 2) Inspect the referenced scripts from other skills (solver-credentials-bootstrap, captcha-challenge-layer, datadome-session-unlock) because this orchestrator calls them and also sources $WORK/.secrets/credentials.env (which can contain many secrets). 3) Expect to need Python, Node, Playwright and a virtualenv at $WORK/.venv-stealth — the skill metadata does not declare these dependencies. 4) Run only in an isolated/testing environment; harvested cookies and session state are written to workspace/inbox and ~/.clawdbot and could leak credentials. 5) Consider legal/ethical implications of bypassing anti-bot protections; if you proceed, validate precisely which environment variables and secret files will be used and audit the other scripts the orchestrator invokes.Like a lobster shell, security has layers — review code before you run it.
latestvk975mrmexxqz74v0qakgg8f2zh83yvcv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.