ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ffagen Minimax Vision Scraper

v1.0.0

Playwright截图 + MiniMax图像理解的高级网页抓取skill。绕过反爬虫,直接用AI理解截图内容。

0· 86·0 current·0 all-time
by@ffagen

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for ffagen/ffagen-minimax-vision-scraper.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Ffagen Minimax Vision Scraper" (ffagen/ffagen-minimax-vision-scraper) from ClawHub.
Skill page: https://clawhub.ai/ffagen/ffagen-minimax-vision-scraper
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install ffagen-minimax-vision-scraper

ClawHub CLI

Package manager switcher

npx clawhub@latest install ffagen-minimax-vision-scraper
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name/description (Playwright screenshots + MiniMax VLM) matches the code: the script screenshots a page and posts it to a MiniMax API. However registry metadata claims no required env vars or binaries while SKILL.md and scripts rely on system Google Chrome and an API key (MINIMAX_API_KEY). The script hardcodes an API key and uses a macOS-specific Chrome path, which is inconsistent with the 'no requirements' claim.
!
Instruction Scope
SKILL.md and scripts limit runtime actions to browsing, screenshotting, and POSTing the image to api.minimaxi.com. That is consistent with the stated purpose, but screenshots can contain sensitive data and the skill will upload full-page screenshots to a third-party API. The SKILL.md doesn't warn about this risk nor require the user to supply their own API key (the code falls back to an embedded key).
Install Mechanism
No install spec in registry, but package.json/package-lock.json are present and only depend on playwright from npm — a standard dependency. There are no downloads from odd URLs or archives. The install risk is moderate and expected for a Playwright-based tool.
!
Credentials
The code uses sensitive environment variables (MINIMAX_API_KEY, MINIMAX_API_HOST) but the registry lists none. Worse, the script contains a hardcoded API key string that will be used if MINIMAX_API_KEY is not set. Requiring/using an API key to call an external service is expected, but embedding a fallback secret (and not declaring it) is inappropriate and could represent abuse of someone else's key or leakage of a secret.
Persistence & Privilege
The skill does not request persistent/always-on privileges, does not change other skills' configs, and does not require elevated system privileges. It launches a local browser instance only.
Scan Findings in Context
[embedded_api_key] unexpected: The script contains a long hardcoded string starting with 'sk-cp-...' used as a fallback MINIMAX_API_KEY. Hardcoded API keys are unexpected for a user-facing scraper and are a data-trust/exfiltration risk.
What to consider before installing
This skill will take screenshots of target pages and upload them to a third-party Vision API. Before installing: 1) Do not rely on the embedded API key — remove it or supply your own MINIMAX_API_KEY; the built-in key could be abused or revoked and means your screenshots would be processed under someone else's account. 2) Assume any screenshot may contain sensitive data (logins, tokens, personal data); avoid running it against pages where you are authenticated or that contain secrets. 3) Update the macOS-specific Chrome path if you are not on macOS or let Playwright manage its browser. 4) If you plan to use this, review the code, replace/remove the embedded key, point MINIMAX_API_HOST to a trusted endpoint, and run in an isolated sandbox until you trust the behavior. Because of the embedded key and undeclared env requirements, treat this skill as suspicious and proceed only after remediation.

Like a lobster shell, security has layers — review code before you run it.

aivk97aevt1tygqbf8cxz082pajsd84cceqlatestvk97aevt1tygqbf8cxz082pajsd84cceqminimaxvk97aevt1tygqbf8cxz082pajsd84cceqvisionvk97aevt1tygqbf8cxz082pajsd84cceqweb-scrapingvk97aevt1tygqbf8cxz082pajsd84cceq
86downloads
0stars
1versions
Updated 3w ago
v1.0.0
MIT-0
@ffagen
ailatestminimaxvisionweb-scraping
Download

MiniMax Vision Scraper

Playwright 截图 + MiniMax 图像理解,绕过反爬虫,直接用 AI 提取页面内容。

核心优势

对比项传统抓取Vision Scraper
反爬虫❌ 易被屏蔽✅ 截图绕过检测
JS渲染⚠️ 复杂✅ 截图即完整
内容理解❌ 需解析HTML✅ AI直接理解
动态内容❌ 难抓✅ 截图即所见

工作流程

URL → Playwright截图(Chrome) → MiniMax VLM图像理解 → AI分析结果

安装

cd ~/.openclaw/workspace/skills/ffagen__minimax-vision-scraper
npm install playwright
# 无需安装 chromium,直接使用系统已装的 Google Chrome

使用方式

直接调用

node scripts/screenshot.js <URL> [prompt]

# 示例
node scripts/screenshot.js "https://news.sina.com.cn" "提取今日头条新闻"
node scripts/screenshot.js "https://finance.sina.com.cn" "提取股票行情数据"

环境变量

变量默认值说明
WAIT_TIME5000等待时间(ms)
HEADLESStrue是否无头模式
SCREENSHOT_PATH/tmp/screenshot-*.png截图保存路径
MINIMAX_API_KEY(内置)MiniMax API Key
MINIMAX_API_HOSTapi.minimaxi.comAPI地址

在OpenClaw中调用

用 ffagen__minimax-vision-scraper 抓取 https://example.com,分析页面内容

反爬虫技术(致敬 playwright-scraper-skill)

✅ 隐藏 navigator.webdriver
✅ 真实 iPhone User-Agent
✅ 移动端视口 (375x812)
✅ 隐藏 Chrome 自动化特征
✅ 模拟 permissions.query
✅ Cloudflare 检测 + 额外等待

示例

抓取财经新闻:

node scripts/screenshot.js "https://finance.sina.com.cn" "提取所有财经新闻标题和摘要"

抓取股票数据:

node scripts/screenshot.js "https://stock.finance.sina.com.cn" "提取大盘指数和涨跌数据"

抓取商品信息:

node scripts/screenshot.js "https://item.jd.com/100000.html" "提取商品名称、价格、评价"

技术说明

  • 截图引擎:使用系统已装的 Google Chrome(无需额外下载)
  • 图像理解:MiniMax VLM API (/v1/coding_plan/vlm)
  • 反爬策略:Playwright Stealth 模式,隐藏自动化特征

Comments

Loading comments...