技能详情(站内镜像,无评论)
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v1.0.0
统计:⭐ 0 · 12 · 0当前安装次数· 0历史安装次数
⭐ 0
安装量(当前) 0
🛡 VirusTotal :良性 · OpenClaw :可疑
Package:bfchain2-hub/agent-browser-stealth-xyh
安全扫描(ClawHub)
- VirusTotal :良性
- OpenClaw :可疑
OpenClaw 评估
The skill does what it says (Playwright-based stealth automation) but contains behaviors that can capture sensitive inputs and persist session state without clear warnings, so its requirements and runtime actions are broader/riskier than the description implies.
目的
Using Playwright and Chromium launch flags is consistent with the stated purpose of anti-detection automation. The included JS implements the claimed stealth techniques (navigator.webdriver masking, canvas/webgl spoofing, permissions override). However the snapshot feature also reads input 'value' attributes and returns them — a capability that can expose passwords or other sensitive fields and is not called out as a privacy/security caveat in…
说明范围
SKILL.md instructs running the provided script and to use --continue to persist sessions but does not warn that 'snapshot' will collect element values (including input values), that a local .session.json is written, or that the script will attempt to connect to a CDP endpoint at http://localhost:9222 when resuming. The script also overrides Permissions API responses (for notifications/geolocation/etc.), which changes page behavior beyond simpl…
安装机制
There is no automated installer in the registry entry; SKILL.md recommends installing Playwright via npm/npx (a standard, expected approach). No remote, untrusted binary downloads or extract-from-arbitrary-URL installs are present in the package files. Network access to npm is required by the user to obtain Playwright.
证书
The skill declares no credentials or env vars, which fits its purpose, but it still reads/writes local session files (.session.json and user-provided storageState files) and returns captured page element metadata and input values. That local file I/O and the ability to capture input values are disproportionate to a user expectation of 'stealth' — they introduce a credential-exposure risk even though no external secrets are requested.
持久
always:false (no forced persistence), and the skill only writes a local .session.json to track active sessions (normal for session reuse). It also attempts to connect to a local CDP at http://localhost:9222 when resuming (only localhost). These are moderate privileges but not platform-global; still, resuming via CDP could behave unexpectedly if a CDP endpoint is forwarded/exposed.
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「Agent Browser Stealth」。简介:Stealth browser automation with anti-detection. Launches Chromium with fingerpr…。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/bfchain2-hub/agent-browser-stealth-xyh/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
---
name: agent-browser-stealth
description: Stealth browser automation with anti-detection. Launches Chromium with fingerprint randomization, webdriver flag removal, Canvas/WebGL spoofing, and permissions API masking. Use for web scraping, login automation, and session persistence on bot-protected sites. Triggers on "stealth browser", "anti-detection", "undetectable browser", "hide automation", "stealth login", "bot protection bypass".
metadata: {"openclaw":{"emoji":"🎭","os":["darwin","linux","win32"]}}
---
# agent-browser-stealth
Anti-detection browser automation built on Playwright. Launches Chromium with layered stealth to evade bot detection on protected sites.
## Architecture
```
agent-browser-stealth
└── stealth-launch.js # Playwright + CDP stealth wrapper
├── Removes navigator.webdriver
├── Spoofs Canvas/WebGL fingerprints
├── Masks chrome.runtime
├── Patches Permissions API
├── Hides automation CSS flags
└── Preserves full Playwright functionality
```
## Commands
```bash
# Launch and navigate
node scripts/stealth-launch.js open https://example.com
# Get interactive elements (ref-based)
node scripts/stealth-launch.js snapshot
# → Returns refs e1, e2, e3... with element metadata
# Interact
node scripts/stealth-launch.js click e3
node scripts/stealth-launch.js fill e2 "text to fill"
node scripts/stealth-launch.js type e2 "typed slowly"
node scripts/stealth-launch.js press Enter
# Inspect
node scripts/stealth-launch.js screenshot [path]
node scripts/stealth-launch.js get text e1
node scripts/stealth-launch.js get attr e5 href
node scripts/stealth-launch.js get value e2
# Close
node scripts/stealth-launch.js close
```
## Snapshot Refs
`snapshot` returns numbered refs (`e1`, `e2`, ...) — use these for subsequent interactions:
```
1. [a] "Sign In" → /login
2. [input] placeholder="Email"
3. [input] type=password
4. [button] "Submit"
```
Then:
```bash
node scripts/stealth-launch.js click e1 # click Sign In
node scripts/stealth-launch.js fill e2 "user@example.com"
node scripts/stealth-launch.js fill e3 "password"
node scripts/stealth-launch.js click e4 # Submit
```
## Stealth Layers
| Layer | Technique |
|-------|-----------|
| WebDriver Flag | `Object.defineProperty(navigator, 'webdriver', { get: () => undefined })` |
| Chrome Runtime | `chrome.runtime` nullified |
| Canvas Fingerprint | `getImageData` returns noise instead of real data |
| WebGL Vendor/Renderer | Spoofed to Intel Iris OpenGL Engine |
| Permissions API | Returns `granted` for notifications/geolocation |
| getComputedStyle | Animations/transition stripped |
| Viewport | Randomized within 1280-1330 × 900-950 |
## Installation
```bash
npm install -g playwright
npx playwright install chromium
```
The skill uses Playwright as a local dependency via `npx` — no global install of stealth plugins needed.
## Session Persistence
For login persistence, use Playwright's built-in storageState:
```javascript
// In scripts/stealth-session.js — save auth after login
import { chromium } from 'playwright';
const browser = await chromium.launch({
headless: true,
args: ['--disable-blink-features=AutomationControlled', '--no-sandbox']
});
const page = await browser.newPage();
// ... perform login ...
await page.context().storageState({ path: 'auth.json' });
// Next run:
const browser = await chromium.launch({ headless: true });
const context = await browser.newContext({ storageState: 'auth.json' });
```
## Anti-Detection Testing
Test stealth effectiveness:
```bash
node scripts/stealth-launch.js open https://bot.sannysoft.com
node scripts/stealth-launch.js snapshot
# All checks should show green/undetected
```
## Limitations
- Cloudflare JS Challenge: May require headed mode + manual solve
- CAPTCHAs: Requires external solver (2Captcha, etc.) — not built in
- Very aggressive sites: May need proxy rotation (residential proxies)
## Examples
### Login to a Protected Site
```bash
node scripts/stealth-launch.js open https://target-site.com/login
node scripts/stealth-launch.js snapshot
node scripts/stealth-launch.js fill e1 "email@example.com"
node scripts/stealth-launch.js fill e2 "password"
node scripts/stealth-launch.js click e3
node scripts/stealth-launch.js screenshot
node scripts/stealth-launch.js close
```
### Scrape Dynamic Content
```bash
node scripts/stealth-launch.js open https://news.site.com
node scripts/stealth-launch.js snapshot
# Identify article refs, then extract
node scripts/stealth-launch.js get html e5
node scripts/stealth-launch.js close
```
### Stealth vs agent-browser
| Feature | agent-browser | agent-browser-stealth |
|---------|--------------|-----------------------|
| Anti-detection | ❌ None | ✅ 8 layers |
| Fingerprint spoofing | ❌ None | ✅ Canvas + WebGL |
| CDP-based | ✅ Native Rust | ✅ Playwright |
| Session isolation | ✅ | ✅ |
| Complexity | Lightweight | Slightly heavier |
| Best for | General automation | Protected sites |