ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

gjsw

v1.0.5

国家税务总局 12366 纳税服务平台自动登录技能。支持图形验证码 OCR 识别、持久化会话、自动定位表单元素。当用户要求登录税务平台、12366、国家税务总局、国家税务局12366 、12366国家税务局 等登录场景时触发。关键判断:用户提供用户名、密码以及登录页面 URL(或已设置环境变量),希望自动完成登录流程。

0· 145·0 current·0 all-time
by@edwn

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for edwn/gjsw.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "gjsw" (edwn/gjsw) from ClawHub.
Skill page: https://clawhub.ai/edwn/gjsw
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: python3, google-chrome
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install gjsw

ClawHub CLI

Package manager switcher

npx clawhub@latest install gjsw
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, declared binaries (python3, google-chrome), primaryEnv (GJSW_LOGIN_URL), SKILL.md and included script all align: the skill automates web login using Playwright and local OCR (ddddocr). Asking for username, password and a login URL is consistent with its stated purpose.
!
Instruction Scope
Instructions and the script perform full browser automation: locating form fields, taking/screenshotting captcha images, running OCR, repeatedly submitting credentials, and persisting a Chrome user-data directory. These actions are expected for login automation but create high-sensitivity scope (handling user credentials and cookies). The script also prints debug information (element texts) when --debug is used which could leak sensitive page content into logs. The code imports subprocess and socket (present in the visible portion) which could be used for side operations; the provided file content in the prompt is truncated so a full review of the remaining code is needed to rule out unexpected network calls or external endpoints.
Install Mechanism
No automated install spec is included (instruction-only install steps are in SKILL.md: pip install playwright ddddocr and playwright install chrome). That is lower-risk than arbitrary downloads, but users must run these commands themselves. Playwright and ddddocr are reasonable dependencies for browser automation and local OCR.
Credentials
The skill declares only a primaryEnv (GJSW_LOGIN_URL) and otherwise expects username/password as command-line args. It does not declare unrelated cloud credentials. However, because it handles highly sensitive credentials (tax account username/password) and persistent session files (./chrome_profile), users should be aware of secure storage and local filesystem exposure.
!
Persistence & Privilege
The script intentionally persists a Chrome user-data directory at ./chrome_profile and uses a fixed remote debugging port (9222). Persisting a profile is expected for session reuse, but the fixed CDP/debug port is risky: if the script connects to an existing Chrome instance or if other tools can access the same debugging port, it could expose other tabs, cookies, or credentials. The skill is not always-enabled and does not modify other skills, but the persistence and CDP usage raise privilege/exposure concerns.
What to consider before installing
This skill appears to do what it says (automate login + OCR), but it handles extremely sensitive credentials and persists browser session data. Before installing or running it: 1) Review the full script (complete file) yourself or have a trusted reviewer inspect the remainder of the code for any network calls, hard-coded endpoints, or subprocess/socket usage that could exfiltrate data. The prompt-provided file is truncated; confirm the rest contains no unexpected behavior. 2) Run it in an isolated environment (VM or disposable container) and do not use your real tax credentials until you are confident. 3) Use a fresh ephemeral chrome_profile directory (or set it to a path you control) and avoid reusing your main Chrome profile. 4) Avoid running with the default remote-debugging port 9222 if you have a Chrome instance already exposing CDP — change the port or run a dedicated browser instance to reduce cross-profile exposure. 5) Avoid --debug in production runs (it prints page element text which may include sensitive info). 6) Consider alternative official APIs or manual login if you have any doubt about storing credentials in scripts. If you want, provide the remainder of the script (full file) and I can re-check for network endpoints or covert behavior.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🔐 Clawdis
Binspython3, google-chrome
Primary envGJSW_LOGIN_URL
latestvk9722sn26c02b7wybey5kxj54d85861b
145downloads
0stars
5versions
Updated 1w ago
v1.0.5
MIT-0
@edwn
latest
Download

国家税务总局 12366 自动登录

通过 openclaw_login.py 脚本,使用 Playwright 控制 Google Chrome 浏览器,自动填写账号、密码、识别图形验证码并提交登录。支持会话持久化(复用 Chrome 用户数据目录),下次运行可保持登录状态。

功能

  1. 自动定位表单元素 - 智能识别用户名框、密码框、验证码图片、验证码输入框和登录按钮
  2. 图形验证码 OCR - 使用 ddddocr 识别验证码(自动过滤非数字字符)
  3. 登录重试机制 - 最多重试 5 次,验证码错误会自动刷新重试,账号密码错误则立即停止
  4. 持久化会话 - 使用独立 Chrome 用户数据目录 ./chrome_profile,保存 Cookies 和登录态
  5. 远程调试端口复用 - 固定使用端口 9222,多次运行可连接同一浏览器实例
  6. 登录成功检测 - 通过 URL 跳转、页面关键词(个人中心、退出)和认证 Cookie 综合判断

前置要求

1. 安装依赖

pip install playwright ddddocr
playwright install chrome   # 安装 Playwright 浏览器内核(脚本实际使用 Chrome)

2. 安装 Google Chrome

  • Windows / macOS / Linux 均需安装 Chrome 浏览器,并确保在 PATH 中
  • 脚本会自动查找常见安装路径(如 macOS 的 /Applications/Google Chrome.app)

2. 设置环境变量(可选)

export GJSW_LOGIN_URL="https://12366.chinatax.gov.cn/login"   # Linux/macOS
# 或 Windows (CMD)
set GJSW_LOGIN_URL=https://12366.chinatax.gov.cn/login
  • 如果未设置环境变量,每次运行时必须通过 --url 参数提供登录页 URL。

使用方法

基本命令

python3 {baseDir}/openclaw_login.py <用户名> <密码> [--url <登录页URL>] [--debug] [--window-size WIDTH,HEIGHT]

参数说明

参数说明必填
用户名登录账号
密码登录密码
--url登录页面的完整 URL(未提供则读取环境变量 GJSW_LOGIN_URL)
--debug开启调试模式,打印元素定位和识别过程
--window-size浏览器窗口大小,格式 宽度,高度,默认 1280,800

示例

# 使用命令行 URL
python3 openclaw_login.py myusername mypassword --url "https://12366.chinatax.gov.cn/usercenter/login/page"

# 使用环境变量中的 URL
python3 openclaw_login.py myusername mypassword

# 调试模式 + 大窗口
python3 openclaw_login.py myusername mypassword --debug --window-size 1920,1080

Comments

Loading comments...