ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

urlgo

v6.4.0

浏览器控制 CLI

0· 160·0 current·0 all-time
byfslong@fslong520

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for fslong520/urlgo.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "urlgo" (fslong520/urlgo) from ClawHub.
Skill page: https://clawhub.ai/fslong520/urlgo
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install urlgo

ClawHub CLI

Package manager switcher

npx clawhub@latest install urlgo
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to be a browser-control CLI helper and its instructions call the 'urlgo' executable and a browser CDP, which is consistent with the stated purpose — but the registry metadata lists no required binaries or install steps even though SKILL.md lists dependencies (curl, websockets(Python)) and repeatedly instructs running 'urlgo'. That omission is an incoherence: the skill assumes a binary/environment that is not declared.
Instruction Scope
Instructions are narrowly scoped to connecting to CDP, opening pages, taking screenshots, evaluating JS and interacting with page elements. They do not ask for unrelated files or credentials. However, the runtime actions permit executing arbitrary JS and accessing any page the agent opens, which can expose local browser data (cookies, auth) if the CDP is attached to a real profile.
Install Mechanism
This is an instruction-only skill with no install spec (low direct install risk). But SKILL.md lists external dependencies (curl, Python websockets) and assumes a 'urlgo' CLI — there is no guidance on how to obtain/install urlgo, which is an operational gap and increases the risk of confusion or accidental execution of missing/nonstandard binaries.
!
Credentials
The skill declares no environment variables, which is fine, but it implicitly requires access to the browser CDP endpoint and local websockets. Controlling a browser via CDP grants access to browsing context and stored data; this privileged access is not articulated in the metadata and is therefore disproportionate to the declared requirements.
Persistence & Privilege
The skill does not request persistent/always-on presence and uses normal autonomous-invocation defaults. It does not declare changes to other skills or system settings. Still, autonomous invocation combined with the ability to control a browser increases potential impact and should be considered by the user.
What to consider before installing
Do not install or enable this skill unless you understand and control the 'urlgo' CLI and the browser/CDP it will talk to. Ask the publisher for an explicit install/readme that: (1) states where to get the urlgo binary and how it should be installed, (2) documents required dependencies (curl, Python websockets) and platforms, and (3) explains whether CDP connections will attach to a real browser profile (and thus expose cookies/auth). If you proceed, ensure the CDP endpoint is isolated (no sensitive profiles) and consider disabling autonomous invocation until you verify the binary and behavior.

Like a lobster shell, security has layers — review code before you run it.

automationvk970mwd9c5bwdjfd9ybnz75vk185865rbrowservk970mwd9c5bwdjfd9ybnz75vk185865rcdpvk970mwd9c5bwdjfd9ybnz75vk185865rlatestvk970mwd9c5bwdjfd9ybnz75vk185865rnetworkvk970mwd9c5bwdjfd9ybnz75vk185865rwebvk970mwd9c5bwdjfd9ybnz75vk185865r
160downloads
0stars
8versions
Updated 6d ago
v6.4.0
MIT-0
fslong@fslong520
automationbrowsercdplatestnetworkweb
Download

Domain keywords: https://, http://, www., 浏览器, CDP, 截图, 网页, mp.weixin

Summary: 连 CDP,开网页,截图,执行 JS。

Strategy:

  1. urlgo status → CDP 开了没?没开就 urlgo start
  2. urlgo open <url> → 打开页面
  3. 截图/读取/点击/输入/执行 JS
  4. 返回结果

AVOID:

  • AVOID 不检查 CDP 就操作,先 status/start
  • AVOID 忘装 websockets,截图和 JS 要用它
  • AVOID 用 WebFetch 读网页,应该用 urlgo snapshot 代替

命令

命令说明
urlgo status检查 CDP
urlgo start启动浏览器
urlgo list查看页面
urlgo open <url>打开网页
urlgo screenshot <id> <file>截图
urlgo snapshot <id>读取内容
urlgo eval <id> "<js>"执行 JS
urlgo click <id> "<sel>"点击
urlgo type <id> "<sel>" "<text>"输入

示例

urlgo start
urlgo open https://example.com
urlgo snapshot 1
urlgo screenshot 1 /tmp/a.png

依赖

curl, websockets(Python)

Comments

Loading comments...