← Back to Skills Marketplace
waylonsong

Headful Browser (VNC)

by WaylonSong · GitHub ↗ · v1.0.2 · MIT-0
cross-platform ⚠ suspicious
141
Downloads
1
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install headful-browser-vnc
Description
Headful Chromium with VNC/noVNC operator UI and Chrome CDP exports (cookies, screenshots, outerHTML).
README (SKILL.md)

headful-browser-vnc

Overview

headful-browser-vnc provides a controlled, auditable, headful Chromium browsing environment on a server for cases where full browser rendering and occasional human interaction are required. It combines Xvfb, a window manager, and x11vnc (optional noVNC) to present the server-side browser UI to an operator, while offering programmatic integration points (Chrome Remote Debugging / CDP) for automated capture of cookies, rendered HTML, and screenshots.

Primary objective

  • Enable reliable, repeatable automation workflows that require the ability to escalate to a human operator for tasks that cannot be solved purely by automation (CAPTCHA solving, challenge pages, multi-factor authentication, manual login flows). The skill's intent is to: (1) run a headful Chrome instance in an isolated profile; (2) expose a secure operator-visible UI to the server browser (VNC/noVNC) so a human can intervene; (3) preserve and export the resulting browser session artifacts (cookies, outerHTML, screenshots) back into automated pipelines for continued processing.

Key capabilities

  • Headful browser execution: launch Google Chrome / Chromium with an isolated user data directory and configurable flags (proxy, remote-debugging-port, extra args) on a server X display provided by Xvfb.
  • Operator UI: present the running browser to an operator via x11vnc (or optional noVNC web proxy). Operators can connect over SSH-forwarded ports or noVNC with token gating to perform manual actions (solve CAPTCHAs, authenticate), then signal the system to capture artifacts.
  • Programmatic capture: export rendered outerHTML, full-page screenshots, and cookies using Chrome CDP (Playwright/Puppeteer compatible). Exports are intended for downstream automated analysis or storage.
  • Safe restart and recovery: helpers to restart Chrome when flags change, with explicit user confirmation required for any action that may terminate existing browser instances.
  • Artifact hygiene: captured artifacts are written to an artifacts directory with restrictive file permissions. The skill logs actions and writes diagnostic artifacts to facilitate debugging and comparison-based analysis.

Security, privacy, and operational notes

  • VNC security: the skill creates per-session passfiles (rfbauth) when possible; noVNC should be bound to loopback or token-gated. Do not expose VNC/noVNC endpoints to the public internet without additional access controls. Store passfiles with mode 600.
  • Sensitive artifacts: cookies and rendered page artifacts are sensitive. They are stored under the skill's out/ directory with restrictive permissions; users are responsible for secure storage and timely cleanup.
  • Privileged operations: installing system packages and enabling systemd units require sudo and explicit user consent. The scripts will not perform privileged actions automatically unless the operator explicitly enables the auto-install path (see below).

Supported VNC implementations

The skill supports multiple VNC backends; behavior is controlled via the skill-local .env file (VNC_IMPLEMENTATION): auto (default), tigervnc, tightvnc, realvnc. When possible the skill prefers non-interactive rfbauth generation via vncpasswd; when unavailable it prompts the operator and documents fallback behavior.

Runtime files & usage

This section documents each file included in the skill release branch, its purpose, usage examples, preconditions, and relations to other files. All script examples assume you run them from the workspace root unless noted.

skills/headful-browser-vnc/scripts/setup.sh

  • Purpose: interactive, documented installer and validator for the skill's runtime dependencies (Xvfb, x11vnc, Chrome/Chromium, node, tooling). Primarily guidance-only: prints distro-aware commands; only runs package-manager operations when explicitly allowed.
  • Usage: 
    ./skills/headful-browser-vnc/scripts/setup.sh [--check-only] [--auto-install] [--yes] [--set-password]
  • Preconditions: network access to package repositories; sudo available for host installs (not required inside containers when running as root). When running inside a container, auto-installs require either root or CONTAINER_AUTO_OK=true.
  • Relations: updates/creates skills/headful-browser-vnc/.env; generates VNC passfiles via vncpasswd when available; consults templates/ for service unit guidance.

skills/headful-browser-vnc/scripts/start_vnc.sh

  • Purpose: start an Xvfb display, optional window manager, and x11vnc to expose the display. Emits a one-line summary with the VNC port and display id.
  • Usage: 
    skills/headful-browser-vnc/scripts/start_vnc.sh \x3Csession_id> [--display=:99] [--resolution=1366x768] [--port=5901]
  • Preconditions: Xvfb and x11vnc installed (or available in Docker image), VNC_PASSFILE permission 600 if provided.
  • Relations: start_vnc.sh creates the DISPLAY and user-data directory used by start_chrome_debug.sh; stop_vnc.sh undoes the session.

skills/headful-browser-vnc/scripts/stop_vnc.sh

  • Purpose: stop and clean up a running VNC/Xvfb session previously started by start_vnc.sh.
  • Usage: 
    skills/headful-browser-vnc/scripts/stop_vnc.sh \x3Csession_id> [--display=:99]
  • Preconditions: session id matches an active session created by start_vnc.sh.

skills/headful-browser-vnc/scripts/start_chrome_debug.sh

  • Purpose: launch a headful Chrome/Chromium instance attached to a session DISPLAY with a dedicated user-data dir and remote-debugging port for CDP access.
  • Usage: 
    skills/headful-browser-vnc/scripts/start_chrome_debug.sh \x3Csession_id> [--proxy=http://...] [--remote-debug-port=9222]
  • Preconditions: Chrome/Chromium binary available and readable; DISPLAY is set (start_vnc.sh must have run); user-data directory writable by the process owner.
  • Relations: other scripts (export_page.sh, export_cookies.sh) connect to the remote-debugging port started by this script.

skills/headful-browser-vnc/scripts/export_page.sh

  • Purpose: instruct Chrome to load a URL and export rendered outerHTML and a full-page screenshot for later analysis.
  • Usage: 
    skills/headful-browser-vnc/scripts/export_page.sh \x3Csession_id> \x3Curl> [--devtools-port=9222]
  • Preconditions: headful Chrome with remote-debugging port active and reachable (start_chrome_debug.sh).

skills/headful-browser-vnc/scripts/export_cookies.sh

  • Purpose: export cookies from a running Chrome instance via the Chrome DevTools Protocol.
  • Usage: 
    skills/headful-browser-vnc/scripts/export_cookies.sh \x3Csession_id> [--devtools-port=9222]

General Notes on Export Helpers

  • Note: these export helpers (export_page.sh, export_cookies.sh) are designed to be idempotent and safe to run after manual operator interventions. They place artifacts into out/\x3Csession_id>/ with restrictive permissions.

Combined Script Usage Flow

  • Flow: start_vnc.sh \x3Cid>start_chrome_debug.sh \x3Cid> → operator attaches via VNC → operator interacts → export_page.sh / export_cookies.shstop_vnc.sh \x3Cid>

skills/headful-browser-vnc/docker/

  • Purpose: reference docker/ directory containing entrypoint and docker-compose.yml plus an embedded Dockerfile in README.docker.md for reproducible builds. ClawHub does not accept Dockerfile uploads, so the Dockerfile content has been included in skills/headful-browser-vnc/README.docker.md as a code block.
  • Recommendation: For reproducibility and security, build dependencies into the image (Dockerfile) rather than relying on runtime package installs inside a running container. If you must allow in-container auto-installs, see setup.sh gating (CONTAINER_AUTO_OK and container_auto_allowed()).

skills/headful-browser-vnc/templates/

  • Purpose: Jinja2-style templates for systemd unit files (x11vnc/noVNC). Use them as references; deploying them on a host requires sudo and careful service permissions.

skills/headful-browser-vnc/tests/smoke_test.sh

  • Purpose: non-privileged smoke test exercising start → launch → export → cleanup sequence to validate runtime behavior in CI-friendly environments.
  • Usage: 
    ./skills/headful-browser-vnc/tests/smoke_test.sh

Configuration (.env)

Place a skill-local skills/headful-browser-vnc/.env (chmod 600) to persist runtime defaults. Key fields:

  • VNC_PASSFILE: path to passfile (e.g. /home/user/.vnc/passwd or ./vnc_passwd)
  • VNC_PORT: optional explicit TCP port to bind x11vnc (if omitted the script will report the actual port in use)
  • VNC_IMPLEMENTATION: auto|tigervnc|tightvnc|realvnc
  • VNC_DISPLAY: X display (default :99)
  • VNC_RESOLUTION: screen resolution (default 1366x768)
  • REMOTE_DEBUG_PORT: Chrome remote debugging port (default 9222)
  • PROXY_URL / HTTP_PROXY / HTTPS_PROXY: optional proxy settings

Install and dependencies

  • setup.sh contains interactive guidance and optional prompts for installing Chrome, node, Playwright, and VNC helper tools. The installer will not run sudo operations without explicit consent.
  • Programmatic export paths prefer Node + Playwright; a Python fallback is available but optional.

Auto-install behaviour and safety (enforced)

The installer supports an optional auto-install path but it is gated behind explicit confirmations and container-aware checks:

  • CLI flag: --auto-install (sets AUTO_INSTALL=true for the run).
  • Runtime confirmation: when the installer proposes a distro-specific command it will first ask for a y/N confirmation, then print the exact command and require the operator to type the full word yes (not y). Only if both confirmations are provided will the installer execute the command.
  • Container extra gate: inside a detected container (/.dockerenv or /proc/1/cgroup contains docker/containerd/kubepods), automatic package-manager operations will only run if the process is root (id -u == 0) or if CONTAINER_AUTO_OK=true.

Default behaviour remains conservative: without --auto-install the installer only prints distro-appropriate commands and will not run package-manager commands automatically.

Templates and integration

  • templates/x11vnc.service.j2 — systemd unit template for persistent sessions (requires sudo to install)
  • templates/novnc.service.j2 — noVNC service template

Integration guidance for maintainers

  • Use Chrome CDP (devtools) for deterministic exports. Prefer attaching to an already-running headful Chrome instance rather than launching short-lived headless instances when reproducing a previously observed UI state.
  • Persist session artifacts and index them (timestamp, URL, session id, VNC port, devtools port) so comparison automation can operate on operator-validated examples.
  • When embedding into automated pipelines, clearly separate automated actions from operator interventions; require explicit human confirmation for destructive actions (Chrome restarts, service reconfiguration).

Testing

A non-privileged smoke test is provided at skills/headful-browser-vnc/tests/smoke_test.sh. It performs a basic start → launch → export → cleanup sequence and is useful for CI verification.

Support and contribution

The skill is maintained in this workspace. When contributing changes, follow the repository conventions: create backups before modifying scripts, run bash -n for syntax validation, and preserve audit logs and artifacts.

License

Include an appropriate LICENSE file when publishing (e.g., MIT). Update author/maintainer fields in SKILL.md prior to external publication.

Example: safe auto-install run

To allow the installer to perform distro package manager actions automatically, run with explicit --auto-install and be prepared to type the full confirmation word. Example:

AUTO_INSTALL=true ./skills/headful-browser-vnc/scripts/setup.sh --auto-install

The script will: (1) detect your distro and print the exact command it plans to run; (2) ask for a normal y/N confirmation; (3) print the command and require you to type the exact word yes to proceed; (4) only then execute the command.

If you prefer to always review and run commands manually, omit --auto-install and the script will only print distro-appropriate commands for you to run yourself.

Short example run transcript (what prompts look like)

Below is a short, representative transcript demonstrating the installer flow when a few components are missing and the operator chooses the manual path (no auto-install). Prompts shown are exact prompts produced by the current setup.sh.

$ ./skills/headful-browser-vnc/scripts/setup.sh
Platform install hints (guidance-only — these commands will NOT be run automatically):

Debian / Ubuntu (apt):
  sudo apt-get update
  sudo apt-get install -y --no-install-recommends \
    xvfb x11vnc fluxbox x11-utils tigervnc-standalone-server tightvnc-tools \
    fonts-noto-cjk fontconfig chromium-browser google-chrome-stable \
    nodejs npm python3-pip

---
Missing requirements: Xvfb x11vnc chrome node VNC_PASSFILE .env
--- Handling missing: Xvfb ---
Install Xvfb? (y/N) n
Skip. Manual: sudo apt-get install xvfb
Press Enter when done...
--- Handling missing: x11vnc ---
Install x11vnc? (y/N) y
VNC Port [5901]: 5901
Enter VNC passfile path [/home/user/vnc_passwd]: /home/user/.vnc/passwd
Tool 'vncpasswd' found. Preparing automated generation...
Enter VNC password (hidden): ********
Confirm password: ********
SUCCESS: rfbauth generated at /home/user/.vnc/passwd
--- Handling missing: chrome ---
Select Chrome version:
1) Google Chrome (Recommended)
2) Chromium (Snap)
3) Skip
Choice [1-3] (default 1): 3
Skipped.
--- Handling missing: node ---
Install Node.js v22+ using suggested command? (y/N) n
Skipped automatic install. Please run the printed command manually.
--- Handling missing: .env ---
Create template .env? (y/N) y
Created skills/headful-browser-vnc/.env
Usage Guidance
This package appears to implement exactly what it claims: a server-side headful Chromium + VNC environment with CDP-based exports. Before installing or running it: (1) verify the skill origin (skill.json references a GitHub URL but the registry metadata you were shown said source/homepage unknown — confirm the upstream repository and publisher trustworthiness); (2) inspect and create a skill-local .env (chmod 600) so you control paths and flags (VNC_PASSFILE, OUT_DIR, CHROME_USER_DATA_DIR, REMOTE_DEBUG_PORT); (3) do not expose VNC/noVNC to the public Internet — use SSH tunnels or bind to localhost/token gating as documented; (4) be cautious with the installer auto-install path (it will suggest apt/curl commands that download packages — run them only on trusted hosts and review commands like nodesource or Google Chrome deb downloads); (5) avoid enabling ALLOW_CHROME_FORCE_RESTART unless you accept the possibility of global chrome pkill behavior; (6) run the included smoke test in a sandboxed environment (container) first. If you want higher assurance, confirm the upstream Git commit history and that the published package matches the upstream repo.
Capability Analysis
Type: OpenClaw Skill Name: headful-browser-vnc Version: 1.0.2 The skill provides high-risk capabilities including the exposure of a headful browser via VNC and programmatic extraction of sensitive session artifacts like cookies and HTML (scripts/export_cookies.sh, tools/playwright_export.js). While these actions are documented as features for handling CAPTCHAs and manual logins, they represent a significant security risk. Furthermore, scripts/setup.sh uses 'eval' to execute constructed shell commands, and scripts/start_chrome_debug.sh launches Chromium with the '--no-sandbox' flag, which are notable security vulnerabilities. No evidence of intentional malice or unauthorized data exfiltration was identified.
Capability Assessment
Purpose & Capability
The name/description (headful Chromium with VNC and CDP exports) align with the included scripts and Node exporter. The scripts implement VNC session start/stop, Chrome launch with remote-debugging, and Playwright-based export of HTML/screenshot/cookies — all coherent with the stated purpose.
Instruction Scope
Runtime instructions and scripts read a skill-local .env and use environment variables such as VNC_PASSFILE, REMOTE_DEBUG_PORT, PROXY_URL, OUT_DIR and CHROME_USER_DATA_DIR — these are appropriate for the task. The installer can run package-manager commands, but only when explicitly confirmed. The scripts do include a global pkill fallback gated by an explicit ALLOW_CHROME_FORCE_RESTART flag and --force; this is dangerous if enabled but documented.
Install Mechanism
This is instruction/script-only (no install spec). Provided Dockerfile and setup guidance use standard public sources (apt, nodesource, Google Chrome direct URL). The installer prints commands and requires confirmation before privileged operations; no opaque third‑party binary downloads or URL shorteners are used.
Credentials
Requested env vars (VNC_PASSFILE, REMOTE_DEBUG_PORT, PROXY_URL, OUT_DIR, ALLOW_CHROME_FORCE_RESTART, CHROME_USER_DATA_DIR, VNC_IMPLEMENTATION) are reasonable for managing VNC/Chrome sessions and artifact output. No unrelated secrets are requested. There is an inconsistency in the provided metadata: the repository SKILL.md and skill.json declare required_env, but the registry summary at the top of your report showed 'Required env vars: none' — verify registry metadata and the skill-local .env before use.
Persistence & Privilege
The skill is not forced-always, does not request permanent elevated presence, and does not modify other skills. It documents optional systemd/service templates (deployment requires sudo and explicit consent). Autonomous invocation is allowed by default (normal) but not combined with other red flags here.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install headful-browser-vnc
  3. After installation, invoke the skill by name or use /headful-browser-vnc
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.2
headful-browser-vnc v1.0.2 - Added .gitignore and LICENSE for repo hygiene and licensing clarity. - Added README.md with detailed usage, capabilities, and security guidance. - Added Jinja2 systemd unit templates for x11vnc and noVNC (templates/novnc.service.j2, templates/x11vnc.service.j2). - Introduced environment variable requirements in SKILL.md frontmatter. - No breaking changes; all additions are documentation and template files for system and operator support.
v1.0.1
headful-browser-vnc 1.0.1 - Replaced docker-based setup with script- and template-based configuration (removed docker-compose and entrypoint, added setup.sh). - Added templates for systemd services (novnc.service.j2, x11vnc.service.j2) for easier host integration. - Introduced Playwright automation export helper (tools/playwright_export.js). - Added LICENSE file. - Included a smoke test script for basic validation. - Updated documentation in SKILL.md to reflect new setup process and runtime file structure.
v1.0.0
Initial public release of headful-browser-vnc. - Provides an auditable, headful Chromium browsing environment for server-side automation with optional human intervention via VNC/noVNC. - Allows operators to securely access, interact, and troubleshoot live browser sessions for automation edge cases (e.g., CAPTCHA, authentication). - Exposes programmatic capture capabilities: export rendered HTML, screenshots, and cookies for downstream workflows. - Highlights operational hygiene: secure artifact handling, session control, and explicit operator consent for privileged actions. - Includes installer, session management scripts, and Dockerfile/template examples for flexible deployment.
Metadata
Slug headful-browser-vnc
Version 1.0.2
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 3
Frequently Asked Questions

What is Headful Browser (VNC)?

Headful Chromium with VNC/noVNC operator UI and Chrome CDP exports (cookies, screenshots, outerHTML). It is an AI Agent Skill for Claude Code / OpenClaw, with 141 downloads so far.

How do I install Headful Browser (VNC)?

Run "/install headful-browser-vnc" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Headful Browser (VNC) free?

Yes, Headful Browser (VNC) is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Headful Browser (VNC) support?

Headful Browser (VNC) is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Headful Browser (VNC)?

It is built and maintained by WaylonSong (@waylonsong); the current version is v1.0.2.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments