captcha-base-skill
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could use this skill to get around CAPTCHA protections on websites or spend paid CAPTCHA-solving credits during automated workflows.
The skill is explicitly positioned for automation and instructs agents to solve common anti-bot CAPTCHA systems through a paid service, which can bypass third-party abuse-prevention controls if used without authorization.
适用于 OpenClaw/ClawHub、浏览器自动化与 RPA 场景 ... ReCaptcha / hCaptcha / Turnstile | 直接付费
Use only for sites and workflows where you have clear authorization. Require explicit user approval for cloud CAPTCHA solving, especially reCAPTCHA/hCaptcha/Turnstile, and set rate or cost limits.
Any image passed to cloud mode, plus the JFBYM token, leaves the local machine and is processed by the external provider.
The documentation discloses that cloud fallback transmits CAPTCHA images and the provider token to an external API.
一旦启用云端兜底,传入的图片数据和 `JFBYM_TOKEN` 会发送到 `https://api.jfbym.com`
Use local-only mode for sensitive images, avoid setting JFBYM_TOKEN unless cloud solving is intended, and do not pass non-CAPTCHA private images to the skill.
If the token is present, the skill can use the associated JFBYM account for paid CAPTCHA-solving operations.
The SDK reads an optional account token from the environment and includes it in paid provider API calls, which is expected for this integration but should be treated as delegated account authority.
self.token = token or os.environ.get("JFBYM_TOKEN") ... "token": self._require_token()Store the token securely, scope it if the provider supports scoping, and remove it from the environment when cloud solving is not needed.
Users have less external provenance information to verify who maintains the skill and where updates originate.
The registry metadata does not provide a source repository or homepage, which limits provenance review even though the included requirements are pinned and no static findings were reported.
Source: unknown; Homepage: none
Install in an isolated Python environment and verify the included source and dependencies before using it in sensitive automation.