PinchTab Browser Ops
v0.1.4Browser automation via PinchTab CLI (nav/snap/find/click/fill/press/text) with low-token accessibility-tree flow. Use when the user asks to operate websites,...
⭐ 0· 298·2 current·2 all-time
by@wiszhou
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description match the SKILL.md: the skill provides step-by-step PinchTab CLI browser automation (nav/snap/find/click/fill/press/text) and the instructions only reference the PinchTab commands and the targeted site (xiaohongshu). No unrelated environment variables, binaries, or config paths are requested.
Instruction Scope
Instructions stay within browser automation scope (navigate, snapshot, operate refs, verify). They explicitly forbid requesting/storing one-time codes and require manual login for CAPTCHAs/2FA. The workflow mandates reusing browser instances and keeping them alive — this is coherent for session continuity but implies persistent authenticated state which is a privacy/attack-surface consideration.
Install Mechanism
No install spec or downloaded code is included (instruction-only). That minimizes disk-write risk. However, the skill assumes a local 'pinchtab' CLI is available; the skill provides no guidance for installing or verifying that binary.
Credentials
The skill requests no environment variables or credentials in metadata and the SKILL.md does not ask for secrets. This is proportionate to its stated purpose. It does rely on the local user's browser session (kept alive), so credentials reside in the local browser, not in the skill.
Persistence & Privilege
Skill is not always: true and does not request system-wide privileges. The recommended behavior to keep browser instances alive and reuse profiles increases persistence of authenticated sessions (intentional for automation). Autonomous invocation of the skill is allowed by default (platform standard) — if you are concerned about automated runs reusing logged-in sessions, restrict invocation or monitor runs.
Scan Findings in Context
[no_regex_findings] expected: The static scanner had no code files to analyze because this is an instruction-only skill; that is expected but means there is no baked-in code to review. The included reference file (xiaohongshu-longform.md) describes site-specific workflows and is consistent with the skill purpose.
Assessment
This skill appears internally consistent for driving a local PinchTab CLI to automate web tasks (including posting drafts on 小红书). Before installing: (1) Ensure you trust and have installed the pinchtab CLI from a trusted source — the skill assumes that binary but provides no install or verification steps. (2) Be aware the skill's workflow intentionally keeps browser instances/profiles alive to preserve login state; if that persistence is undesirable, avoid reuse or close instances manually. (3) The skill says it will not request or store OTPs/CAPTCHAs — still avoid entering sensitive credentials via any automated path and perform 2FA/logins manually as instructed. (4) The skill owner/source is unknown and there is no homepage; if you need higher assurance, ask the author for the pinchtab CLI install instructions, signed release link, or source code for review, or restrict the skill's autonomous invocation.Like a lobster shell, security has layers — review code before you run it.
browser-automationvk97113anvpv9bpzr1znafzn6nh830hc3latestvk97113anvpv9bpzr1znafzn6nh830hc3openclawvk97113anvpv9bpzr1znafzn6nh830hc3pinchtabvk97113anvpv9bpzr1znafzn6nh830hc3xiaohongshuvk97113anvpv9bpzr1znafzn6nh830hc3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.