ClawHub

Pinchtab

v0.9.1

Use this skill when a task needs browser automation through PinchTab: open a website, inspect interactive elements, click through flows, fill out forms, scra...

1· 1.6k·24 current·25 all-time
by@luigi-agosti
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchasesRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description ask for browser automation and the skill only requires the pinchtab CLI and a Chromium-based browser; install options (Homebrew formula or Go package) are coherent with distributing a Go CLI. No unrelated cloud credentials, network scanners, or system-wide privileges are requested.
Instruction Scope
SKILL.md and references limit operations to browser automation, recommend local (localhost) servers by default, warn against arbitrary JS evaluation and local-file uploads, and explicitly advise not to read unrelated local secrets or system configuration. The instructions do reference using curl/jq and MCP integrations (expected for an automation tool).
Install Mechanism
Installers are a Homebrew formula from a named tap and a Go package from github.com/pinchtab/pinchtab — both are reasonable for a Go CLI. There are no opaque download URLs or extract-from-arbitrary-URL steps in the provided metadata.
Credentials
No required environment variables or credentials are declared. The docs mention optional variables (PINCHTAB_TOKEN, PINCHTAB_CONFIG, PINCHTAB_TAB) that are appropriate for targeting a protected remote PinchTab server or configuring behavior; those are optional and reasonable.
Persistence & Privilege
The skill does not request always:true and does not ask to modify other skills or system-wide agent config. It is an instruction-only skill that expects a local CLI/HTTP server and transient agent identity headers — standard for this integration.
Assessment
This skill appears internally consistent with its stated goal of local browser automation. Before installing or running it: (1) prefer installing from the published Homebrew tap or the official GitHub releases and verify checksums/signatures as documented; (2) only point the skill at PinchTab servers you control — avoid using remote servers you do not trust or whose PINCHTAB_TOKEN you did not provision; (3) do not grant the agent permission to evaluate arbitrary JavaScript or upload local files unless you explicitly approve the specific operation; (4) use isolated PinchTab profiles/workspace paths (not your regular Chrome profile) for automation and sensitive sites; and (5) if you need higher assurance, audit the public repo release you will install or run the binary in a sandboxed environment first.

Like a lobster shell, security has layers — review code before you run it.

latestvk9778qnhwb2nmk6g3vrbv371kh84xyhy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspinchtab
Any bingoogle-chrome, google-chrome-stable, chromium, chromium-browser

Install

Homebrew
Bins: pinchtab
brew install pinchtab/tap/pinchtab
Go
Bins: pinchtab

Comments