ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenCLI Universal CLI Hub

v1.0.0

OpenCLI — 通用 CLI Hub,将任何网站、Electron 应用或本地工具转化为命令行接口。66+ 内置命令,支持 Bilibili/Twitter/Reddit/Xiaohongshu/GitHub 等。复用 Chrome 登录态,零 LLM 成本,确定性输出。

0· 10·0 current·0 all-time
byzengbao yu@yuzengbaao
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the behavior: converting websites/Electron apps/local tools to CLI reasonably requires Node, a daemon, and a browser bridge. Requiring node and asking to install opencli via npm is proportionate to the stated purpose. However the description's claim of "Zero risk, Reuse Chrome login" downplays the real security implications of reusing browser auth and installing a browser extension.
!
Instruction Scope
The SKILL.md instructs installing a global npm package, loading a Browser Bridge extension into Chrome, reusing Chrome login state, using browser_navigate/browser_network_requests/browser_evaluate and intercept techniques, and running a local daemon (port 19825). Those steps expose browser cookies/auth and local services to the tool and to any code the npm package and extension execute. The skill does not explicitly constrain or document how credentials/cookies are handled, what is sent externally, or which endpoints the extension/daemon will contact — leaving room for exfiltration or overbroad data access.
Install Mechanism
No formal install spec in registry, but SKILL.md directs: npm install -g @jackwener/opencli@latest (public npm). Installing a global npm package and a browser extension is common for a CLI+bridge, but both run arbitrary code on the host and get privileged access (global binaries, extension privileges). The SKILL.md also says to download an extension from GitHub Releases (reasonable host) but provides no release URL or checksum to verify integrity.
!
Credentials
The skill declares no environment variables, but the runtime instructions require access to Chrome login/cookies and local daemon endpoints. Accessing browser authentication and cookies is sensitive and not represented in requires.env or required config paths. The SKILL.md also implies intercepting requests and using credentials:'include' — operations that can access and transmit sensitive tokens/headers.
!
Persistence & Privilege
The flow installs a global binary, a browser extension, and runs a local daemon — all persistent artifacts. While always:false (not force-enabled), the installed components have lasting presence and privileges (browser extension can persist and a daemon can listen on localhost). The skill does not document least-privilege, opt-in boundaries, or how to uninstall/limit access.
What to consider before installing
This skill is coherent with its purpose but uses sensitive capabilities. Before installing: (1) review the npm package source code and author (@jackwener) and prefer reproducible release artifacts or pinned versions; (2) verify the Browser Bridge extension release artifacts (release URL, checksums) and inspect requested extension permissions; (3) consider running the CLI and extension inside an isolated environment (VM/container) or test account, not against your primary Chrome profile or important accounts; (4) confirm what the local daemon exposes (which endpoints, whether it listens only on localhost, and whether it accepts remote requests); (5) avoid granting it access to accounts with high privileges until you can audit network traffic and code; (6) if you need to proceed, track how to uninstall the npm package and remove the extension/daemon. These steps reduce risk of credentials or sensitive browsing data being exfiltrated.

Like a lobster shell, security has layers — review code before you run it.

ai-agentvk97bpz8ex1fze3c0v8npymhdnx842b3qautomationvk97bpz8ex1fze3c0v8npymhdnx842b3qbrowservk97bpz8ex1fze3c0v8npymhdnx842b3qclivk97bpz8ex1fze3c0v8npymhdnx842b3qlatestvk97bpz8ex1fze3c0v8npymhdnx842b3qwebvk97bpz8ex1fze3c0v8npymhdnx842b3q

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔧 Clawdis
Binsnode

SKILL.md

OpenCLI Skill

Make any website, Electron App, or local tool your CLI. Zero risk, Reuse Chrome login, AI-powered discovery, Universal CLI Hub.

安装与验证

# 安装
npm install -g @jackwener/opencli@latest

# 验证
opencli --version
opencli list              # 查看所有可用命令
opencli doctor            # 检查扩展 + daemon 连通性

前提条件

  • Node.js >= 20.0.0
  • Chrome 浏览器(需登录目标网站)
  • Browser Bridge 扩展(从 GitHub Releases 下载 opencli-extension.zip → chrome://extensions → 开发者模式 → 加载已解压的扩展)

常用命令速查

无需浏览器的 Public API 命令

opencli hackernews top --limit 5       # HackerNews 热榜
opencli v2ex hot --limit 5             # V2EX 热帖
opencli arxiv search "quantum"         # arXiv 论文搜索
opencli stackoverflow questions "rust"  # StackOverflow
opencli producthunt today              # Product Hunt

需要浏览器登录的命令

# Bilibili
opencli bilibili hot --limit 5         # 热榜
opencli bilibili search "AI"           # 搜索
opencli bilibili download BV1xxx       # 下载视频

# Twitter/X
opencli twitter trending                # 趋势
opencli twitter search "DeFi"           # 搜索
opencli twitter timeline --limit 10     # 时间线

# Reddit
opencli reddit hot --limit 5           # 热帖
opencli reddit search "ethereum"       # 搜索

# 小红书
opencli xiaohongshu search "美食"      # 搜索
opencli xiaohongshu note abc123        # 笔记详情

# GitHub (via gh CLI)
opencli gh pr list --limit 5           # GitHub PR 列表
opencli gh issue list                  # Issue 列表

输出格式

opencli bilibili hot -f json    # JSON 格式(适合管道/LLM)
opencli bilibili hot -f csv     # CSV 格式(适合表格)
opencli bilibili hot -f yaml    # YAML 格式
opencli bilibili hot -f md      # Markdown 格式
opencli bilibili hot -v         # Verbose 调试

外部 CLI 注册(CLI Hub)

opencli register mycli           # 注册本地 CLI,AI Agent 可通过 opencli list 发现
opencli gh pr list               # 自动检测并安装缺失工具

AI Agent 开发新适配器

快速模式(单命令 4 步)

  1. browser_navigate → 打开目标 URL
  2. browser_network_requests → 筛选 JSON API
  3. browser_evaluate → 用 fetch 验证接口
  4. 写 YAML/TS adapter → build → test

认证层级

层级条件方案
Tier 1fetch(url) 直接能拿Public API (YAML, browser: false)
Tier 2credentials:'include'Cookie (YAML)
Tier 3需 Bearer/CSRF headerHeader (TS)
Tier 4页面能请求但 fetch 不行Intercept (TS, installInterceptor)

自动探索

opencli explore https://example.com --site mysite   # 发现 API
opencli synthesize mysite                            # 生成 YAML 适配器
opencli generate https://example.com --goal "hot"   # 一键生成
opencli cascade https://api.example.com/data         # 自动探测认证策略

退出码

含义
0成功
66空结果
69Browser Bridge 未连接
77需要登录

故障排除

  • "Extension not connected" → 安装 Browser Bridge 扩展到 chrome://extensions
  • 空数据/Unauthorized → Chrome 中重新登录目标网站
  • Daemon 问题 → curl localhost:19825/status 检查

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…