Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Browser Collector
v1.0.0浏览器自动化+数据采集框架。支持Playwright控制、DdddOcr验证码识别、东方财富/雪球/AKShare金融数据采集。反爬对抗、UA池、代理。
⭐ 0· 48·0 current·0 all-time
by@wjl1004
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description promise Playwright-driven scraping, OCR for captchas, and built-in collectors for EastMoney, Xueqiu and AKShare; the repository contains Playwright control, captcha solver, login manager, and collectors for those exact sources. No unrelated credentials or surprising binaries are required.
Instruction Scope
SKILL.md contains usage examples and a CLI invocation that match the code. The runtime instructions and code only reference site APIs and local cookie storage; there are no instructions to read arbitrary unrelated files or to exfiltrate data to unknown endpoints.
Install Mechanism
There is no install spec (instruction-only skill) which reduces install risk, but the code has non-trivial Python runtime dependencies (playwright, ddddocr, opencv, akshare, possibly pytesseract). Installing Playwright also requires browser binaries (playwright install) — the SKILL.md lists dependencies but does not provide an automated, auditable install step. This is not a security red flag by itself, but users should be prepared to install large/privileged dependencies.
Credentials
The skill does not declare required environment variables or external credentials. It does persist cookies under ~/.openclaw/cookies to support login flows (expected for a collector that can use authenticated APIs). No unrelated secrets or config paths are requested.
Persistence & Privilege
Flags show normal defaults (always: false, model invocation allowed). The skill writes cookies to its own folder under the user's home, which is a reasonable behavior for a login manager and does not modify other skills or system-wide settings.
Assessment
This package appears to do what it says: Playwright-based scraping, OCR for captchas, and collectors for EastMoney/Xueqiu/AKShare. Before installing, consider: 1) Dependency checklist — you will need to pip-install Playwright, run 'playwright install' (to get browser binaries), and install DdddOcr/OpenCV (and optionally pytesseract); 2) Legal/ethics — scraping financial sites can violate terms of service; use responsibly and respect rate limits; 3) Privacy — login cookies are persisted to ~/.openclaw/cookies; don't store sensitive account credentials unless you understand the implications; 4) Isolation — run in a virtualenv/container to avoid dependency/version conflicts and to contain network activity; 5) Review core/config.py (included) for logging, proxy, or telemetry settings before use. If you need higher assurance, request a review of the remaining truncated files (core/config.py, collectors/cli.py, and any omitted code) to confirm there are no hidden network callbacks or telemetry hooks.Like a lobster shell, security has layers — review code before you run it.
latestvk973spjd6xgr642jjrxg3h13hn84b8vq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.