ClawHub

浏览器自动化 CLI

v1.0.0

通过本地 HTTP API 启动、关闭和查询多账号独立浏览器实例,实现独立 IP、Cookie 及指纹的隔离管理。

0· 16·0 current·0 all-time
byscariris@wociaozhongyunonghaole
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description claim to control local browser instances via a local HTTP API. The Python code implements HTTP POST calls to a configurable api_url (default http://localhost:1008) and provides CLI/NLP wrappers for listing, starting, stopping and querying accounts. No unrelated credentials, packages, or system resources are requested.
Instruction Scope
SKILL.md clearly instructs the user to install a third‑party '多账号矩阵管理工具' (site: https://zmt.scys6688.com/) and enable its local HTTP server on port 1008. The skill reads config.yaml and writes last_result.txt in its own directory and sends JSON POSTs to the configured api_url. It does not attempt to read arbitrary user files or environment variables. Note: if api_url is changed to a remote host, the skill would send the same JSON payloads off‑host — the README itself warns about this risk.
Install Mechanism
There is no install script or remote download in the skill bundle — it's instruction/code only. That is low risk for the skill itself. However the runtime depends on an external closed‑source application that the user must download/install from the vendor site; that external install is outside the skill and is the primary supply‑chain/operational risk.
Credentials
The skill declares no environment variables, no credentials, and the code does not access system secrets. It only reads a local config.yaml (api_url, timeout) and writes a last_result.txt in the skill folder. The only network activity is HTTP POSTs to the configured api_url (default localhost). Changing api_url would be the main way to expose data to an external endpoint.
Persistence & Privilege
The skill does not request always:true and uses normal user‑invocable invocation. It only writes small files inside its own skill directory and does not modify other skills or system configuration. No elevated persistence or system‑wide modifications are performed.
Assessment
This skill appears to do what it says: it is a client that talks to a local ZMT matrix browser HTTP API. Before installing or using it: - Verify and trust the external '多账号矩阵管理工具' from https://zmt.scys6688.com/ (binary distribution is outside this skill). Review that program for safety and network behavior. - Keep api_url pointed at localhost (default) unless you explicitly intend to send requests to another host; changing api_url will forward account control payloads to whatever endpoint you configure. - Be aware the skill writes a small last_result.txt and reads config.yaml from the skill folder — no other local files or secrets are read. - If you need higher assurance, inspect or run the included Python code in a sandbox and confirm the external matrix manager runs locally on the expected port before providing it with any real accounts or credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk978462h0cr7943pvt2mktd2js849r95

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments