PinchTab
Browser automation via HTTP API. Use for headless browser control, web automation, form filling, data extraction, and interactive element interaction. Suppor...
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 0 · 75 · 0 current installs · 0 all-time installs
MIT-0
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (HTTP browser automation) aligns with the scripts and API docs: the files call a localhost HTTP API to launch/navigate/click and fetch screenshots. However several pieces don't belong or are under-specified: a bearer token is embedded in reference docs and multiple shell scripts (suggesting a baked-in credential), and the SKILL metadata declares no required env vars or binaries even though scripts need curl, jq, base64, mktemp and python3+requests. That mismatch is disproportionate to the stated purpose.
Instruction Scope
Runtime instructions direct the agent/user to run the included scripts to interact with http://localhost:9867 and to export PINCHTAB_TOKEN/TELEGRAM_BOT_TOKEN for some flows. The scripts themselves use a hard-coded Authorization token for many endpoints, fetch/decode base64 screenshots, optionally send images to Telegram (external network), and copy artifacts into /root/.openclaw/workspace/skills/pinchtab/assets — writing into the agent workspace. These actions extend beyond simple in-memory automation: they persist files and can transmit data externally (Telegram).
Install Mechanism
There is no install spec (instruction-only with scripts), which reduces installer risk. However the packaged scripts will be executed as-is and rely on external binaries and Python packages that are not declared. Because files will be executed from disk, the lack of an install or verification step means you must review script contents before running.
Credentials
The skill metadata lists no required env vars, yet SKILL.md and scripts expect PINCHTAB_TOKEN and optionally TELEGRAM_BOT_TOKEN. Worse, many shell scripts and API docs include a hard-coded bearer token (b6a9100...), which is effectively an embedded secret. This is disproportionate: a browser automation helper should accept a user-provided token or no token, not ship with/require an undeclared credential. The scripts also assume presence of tools (jq, curl, base64, python3, requests) that the manifest doesn't list.
Persistence & Privilege
always:false and no system-wide installs or modifications are requested. The only persistence is copying a screenshot into the skill's workspace directory (/root/.openclaw/workspace/skills/pinchtab/assets) if present — which is limited to the agent workspace, not global system config. The skill does perform network calls (localhost API and optional Telegram outbound requests) which is expected for its purpose.
What to consider before installing
Review the scripts before running. Key things to check: 1) The repo embeds a bearer token (b6a9...) in several scripts and docs — treat that as a secret of unknown origin; do not assume it is safe. 2) The metadata declares no required environment variables or binaries, but the scripts require curl, jq, base64, mktemp, and python3 with the requests package; ensure those are present and correct. 3) Screenshot flows can send images to Telegram (external network) and will copy files into the agent workspace; avoid running these scripts with elevated privileges and consider running them in a sandbox. 4) Confirm there is a legitimate local PinchTab server at http://localhost:9867 before using the scripts — the skill does not install that server. 5) Prefer using your own PINCHTAB_TOKEN/TELEGRAM_BOT_TOKEN (exported as env vars) and remove or rotate any embedded tokens. If you need a clean install path or provenance for the server binary/token, ask the publisher for source/build instructions and justification for the embedded token; until then treat the package as untrusted.Like a lobster shell, security has layers — review code before you run it.
Current versionv1.0.0
Download ziplatest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
PinchTab Skill
Description
PinchTab is an HTTP server that provides programmatic control over a browser. It supports launching browser instances, navigating to pages, extracting page structure, and interacting with elements like buttons or forms.
When to Use
Use this skill for tasks like:
- Automating browser workflows (e.g., logins, form submissions).
- Extracting data or snapshots from web pages.
- Testing interactive web elements.
Quick Start
Below is a guide to using the PinchTab skill:
1. Launching a Browser Instance
You can launch a new browser instance via the API:
bash scripts/launch_browser.sh
2. Navigating to a URL
Navigate to a URL with the following command:
bash scripts/navigate_to_url.sh https://example.com
3. Extracting Page Snapshot
Get the page structure and save it locally:
bash scripts/get_page_snapshot.sh
4. Clicking an Element
Simulate a button click on a webpage:
bash scripts/click_element.sh "<css_selector>"
5. Taking Screenshots (Base64 Decode + Send to Telegram)
Capture a screenshot, decode the base64, and send to Telegram:
Bash:
export PINCHTAB_TOKEN="your_token"
export TELEGRAM_BOT_TOKEN="your_bot_token"
bash scripts/screenshot_and_send.sh <tab_id> <telegram_chat_id>
Python (more features):
export PINCHTAB_TOKEN="your_token"
python3 scripts/decode_screenshot.py <tab_id> \
--output /path/to/screenshot.jpg \
--send-telegram <chat_id> \
--caption "My screenshot"
Example: Google Homepage
PinchTab successfully navigated to Google and extracted the page structure:
This demonstrates:
- Browser launch and page navigation
- Interactive element extraction (About, Store, Advertising links, etc.)
- Ready for automation (clicking, form filling, data extraction)
Documentation
Check the references/ folder for detailed API documentation, common workflows, and troubleshooting tips.
Files
10 totalSelect a file
Select a file to preview.
Comments
Loading comments…