ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Termux Zero Token

v1.0.0

在 Termux 上利用手機 Chrome 已登入的 cookies 免費調用 DeepSeek、Kimi、Qwen、GLM 等多款 AI 模型。

0· 59·0 current·0 all-time
by@t9530638
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description claim to use a phone Chrome session to call DeepSeek/Kimi/Qwen/GLM without API keys; the source files implement exactly that: connecting to Chrome CDP over localhost:9222 via Playwright, reading cookies for provider domains, and calling provider endpoints with those cookies or extracted tokens. Saving credentials to ~/.openclaw/zero-token/credentials.json is consistent with the stated goal. The Playwright dependency is logically required for CDP access.
!
Instruction Scope
SKILL.md explicitly instructs the user to enable ADB forwarding and Chrome remote debugging, then 'import credentials' (i.e., capture cookies/session). The code captures cookies for provider domains and saves them locally. Capturing browser cookies is intrinsically high-risk: these are sensitive session credentials that can grant account access. The instructions and code also encourage enabling remote debugging on a phone (broad access to the device's browser session). While scoped to listed providers' domains, the runtime has access to the phone's browser via CDP and could be extended to capture other data. The SKILL.md also triggered a prompt-injection scanner finding (system-prompt-override) — the file references 'systemPrompt' in examples; this is likely benign in context but worth noting.
Install Mechanism
There is no explicit install specification (instruction-only style), but package.json declares a dependency on 'playwright-core'. Playwright can be large and may pull in native artifacts or require additional platform-specific setup. No remote downloads from unknown URLs are present in the skill bundle itself. Because there's no install spec in the skill metadata, installing/running this code will require npm install which will fetch packages from the public registry — normal but non-trivial.
!
Credentials
The skill requests no declared environment variables, but it requires ADB access to a user's phone and direct access to mobile Chrome sessions. It persists cookies and optional userAgent into an unencrypted file (~/.openclaw/zero-token/credentials.json) for 7 days. Storing session cookies is equivalent to storing account credentials and is disproportionate in sensitivity even if logically needed to achieve the stated feature. There are no additional external secret requirements, and the provider cookieDomains restrict what it collects, but that still grants full session-level access to those accounts.
Persistence & Privilege
The skill writes persistent credentials to the user's home directory under ~/.openclaw/zero-token and sets an expiresAt timestamp (7 days). always is false (no unconditional inclusion). The skill does not modify other skills or global agent config. Allowing autonomous invocation is the platform default; combined with persistent sensitive data it increases blast radius if the agent uses the stored cookies without user confirmation.
Scan Findings in Context
[system-prompt-override] unexpected: The pre-scan flagged a 'system-prompt-override' pattern in SKILL.md. The SKILL.md and provider code reference a 'systemPrompt' field used to build messages, which explains the presence of the token. There is no clear attempt in the files to override the OpenClaw system prompt, but the scanner's finding merits manual review because prompt-injection-style content in skill instructions can be used to influence agent behavior.
What to consider before installing
This skill does what it claims (uses ADB/Chrome remote debugging to steal cookies from your phone and reuse them to call AI services), but that capability is sensitive and risky. Before installing or running it, consider: 1) Only use on a device/account you fully control and that has no payment or sensitive data; these cookies can allow account takeover. 2) Review the code yourself (or have a trusted reviewer) — it saves cookies unencrypted to ~/.openclaw/zero-token/credentials.json for 7 days. 3) Running npm install will fetch playwright-core and its dependencies; be prepared for large installs and platform dependencies. 4) This approach likely violates the providers' terms of service and could lead to account suspension. 5) If you still want to try it, run it in an isolated environment (throwaway account / VM), remove stored credentials after use, and monitor network activity. 6) If you need legitimate API access, prefer official API keys or provider-approved SDKs rather than extracting browser sessions. Finally, given the sensitive nature of what it does, treat this skill as high-risk and avoid using it on primary or shared accounts.
src/index.ts:17
Environment variable access combined with network send.
!
src/index.ts:111
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

aivk97cwffmebsg6dc0hfmfcx71en841hs9chromevk97cwffmebsg6dc0hfmfcx71en841hs9freevk97cwffmebsg6dc0hfmfcx71en841hs9latestvk97cwffmebsg6dc0hfmfcx71en841hs9termuxvk97cwffmebsg6dc0hfmfcx71en841hs9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments