← Back to Skills Marketplace
83
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install phone-chrome-cdp
Description
Control Android Chrome via ADB and raw WebSocket CDP. No Playwright needed for navigate, JS injection, cookies, DOM, scroll, click.
Usage Guidance
This skill appears to do exactly what it claims, but it grants strong access to the phone's browser: it shows how to run JS in pages and read httpOnly cookies, and it suggests exposing the DevTools port to the LAN. Before using it, consider:
- Only run these instructions on devices and networks you trust. Exposing Chrome DevTools (localhost:9222) to other hosts lets anyone on that network fully control the browser and read sensitive data.
- Prefer keeping the DevTools endpoint bound to localhost and use an authenticated tunnel (SSH/VPN) if remote access is required, instead of opening it directly to the LAN.
- The SKILL.md recommends omitting the Origin header to bypass browser rejection — this is deliberate to connect over ADB but removes a browser protection; be careful when reusing code or adapting it for other environments.
- The steps let you read cookies (including httpOnly) and DOM contents and perform clicks/navigation — treat outputs as sensitive and avoid sending them to untrusted endpoints.
- Because this is instruction-only, the skill itself doesn't install code, but it runs shell commands (adb, curl) and provides Python code you or an agent would execute. Only run the provided code after reviewing and, if possible, running in an isolated environment.
If you want to proceed safely: restrict port forwarding to localhost, avoid direct LAN exposure, require explicit confirmation before any action that forwards ports or reads cookies, and audit any network forwarding tools used for sharing.
Capability Analysis
Type: OpenClaw Skill
Name: phone-chrome-cdp
Version: 1.0.0
The skill provides low-level control over Android Chrome via ADB and raw WebSocket communication, specifically bypassing security headers (Origin) to interact with the Chrome DevTools Protocol. It includes high-risk capabilities such as exfiltrating all browser cookies (including httpOnly) and executing arbitrary JavaScript via 'Runtime.evaluate' and 'Network.getAllCookies' in SKILL.md. While these functions are aligned with the stated purpose of mobile browser automation, the combination of ADB shell access and raw socket manipulation for sensitive data access warrants a suspicious classification.
Capability Assessment
Purpose & Capability
Name/description (control Chrome on Android via ADB + CDP) match the SKILL.md: it shows adb port forwarding, listing tabs via /json, and a Python CDP client to send CDP commands. There are no unrelated environment variables, binaries, or installs requested.
Instruction Scope
The instructions stay on-topic (start Chrome via ADB, forward devtools socket, manually implement WebSocket frames, call CDP methods, use adb screencap). However the doc explicitly (1) instructs bypassing browser protections by omitting Origin headers, (2) shows how to read httpOnly cookies and execute arbitrary JS in pages, and (3) encourages exposing localhost:9222 to the LAN via port-forwarding — all of which are legitimate for a CDP tool but are powerful and sensitive operations. The instructions do not include explicit steps to exfiltrate data, but the provided code and commands give full ability to read cookies, DOM, and perform actions, so operator caution is needed.
Install Mechanism
There is no install spec and no code files beyond SKILL.md; the skill is instruction-only. That minimizes filesystem/installation risk because nothing will be written/installed by a package step in the skill bundle itself.
Credentials
The skill does not request environment variables, credentials, or config paths. The operations it performs (adb, local HTTP/WebSocket to Chrome DevTools) do not require additional external credentials declared by the skill, so the lack of requested secrets is proportionate.
Persistence & Privilege
The skill is not always-enabled, does not request persistent presence, and contains no instructions to modify other skills or global agent config. Autonomous invocation is allowed (platform default) but not combined with other privilege escalation requests.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install phone-chrome-cdp - After installation, invoke the skill by name or use
/phone-chrome-cdp - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
🎉 Initial release: Control Android Chrome via ADB + raw WebSocket CDP. Zero dependencies.
Metadata
Frequently Asked Questions
What is Phone Chrome CDP?
Control Android Chrome via ADB and raw WebSocket CDP. No Playwright needed for navigate, JS injection, cookies, DOM, scroll, click. It is an AI Agent Skill for Claude Code / OpenClaw, with 83 downloads so far.
How do I install Phone Chrome CDP?
Run "/install phone-chrome-cdp" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Phone Chrome CDP free?
Yes, Phone Chrome CDP is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Phone Chrome CDP support?
Phone Chrome CDP is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Phone Chrome CDP?
It is built and maintained by 老实人 (@laolaoshiren); the current version is v1.0.0.
More Skills