← Back to Skills Marketplace
bfchain2-hub

Agent Browser Stealth

by bfchain2-hub · GitHub ↗ · v1.0.0 · MIT-0
darwinlinuxwin32 ⚠ suspicious
136
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install agent-browser-stealth-xyh
Description
Stealth browser automation with anti-detection. Launches Chromium with fingerprint randomization, webdriver flag removal, Canvas/WebGL spoofing, and permissi...
README (SKILL.md)

agent-browser-stealth

Anti-detection browser automation built on Playwright. Launches Chromium with layered stealth to evade bot detection on protected sites.

Architecture

agent-browser-stealth
└── stealth-launch.js    # Playwright + CDP stealth wrapper
    ├── Removes navigator.webdriver
    ├── Spoofs Canvas/WebGL fingerprints
    ├── Masks chrome.runtime
    ├── Patches Permissions API
    ├── Hides automation CSS flags
    └── Preserves full Playwright functionality

Commands

# Launch and navigate
node scripts/stealth-launch.js open https://example.com

# Get interactive elements (ref-based)
node scripts/stealth-launch.js snapshot
# → Returns refs e1, e2, e3... with element metadata

# Interact
node scripts/stealth-launch.js click e3
node scripts/stealth-launch.js fill e2 "text to fill"
node scripts/stealth-launch.js type e2 "typed slowly"
node scripts/stealth-launch.js press Enter

# Inspect
node scripts/stealth-launch.js screenshot [path]
node scripts/stealth-launch.js get text e1
node scripts/stealth-launch.js get attr e5 href
node scripts/stealth-launch.js get value e2

# Close
node scripts/stealth-launch.js close

Snapshot Refs

snapshot returns numbered refs (e1, e2, ...) — use these for subsequent interactions:

1. [a] "Sign In" → /login
2. [input] placeholder="Email"
3. [input] type=password
4. [button] "Submit"

Then:

node scripts/stealth-launch.js click e1    # click Sign In
node scripts/stealth-launch.js fill e2 "[email protected]"
node scripts/stealth-launch.js fill e3 "password"
node scripts/stealth-launch.js click e4      # Submit

Stealth Layers

Layer Technique
WebDriver Flag Object.defineProperty(navigator, 'webdriver', { get: () => undefined })
Chrome Runtime chrome.runtime nullified
Canvas Fingerprint getImageData returns noise instead of real data
WebGL Vendor/Renderer Spoofed to Intel Iris OpenGL Engine
Permissions API Returns granted for notifications/geolocation
getComputedStyle Animations/transition stripped
Viewport Randomized within 1280-1330 × 900-950

Installation

npm install -g playwright
npx playwright install chromium

The skill uses Playwright as a local dependency via npx — no global install of stealth plugins needed.

Session Persistence

For login persistence, use Playwright's built-in storageState:

// In scripts/stealth-session.js — save auth after login
import { chromium } from 'playwright';

const browser = await chromium.launch({ 
  headless: true,
  args: ['--disable-blink-features=AutomationControlled', '--no-sandbox']
});
const page = await browser.newPage();
// ... perform login ...
await page.context().storageState({ path: 'auth.json' });
// Next run:
const browser = await chromium.launch({ headless: true });
const context = await browser.newContext({ storageState: 'auth.json' });

Anti-Detection Testing

Test stealth effectiveness:

node scripts/stealth-launch.js open https://bot.sannysoft.com
node scripts/stealth-launch.js snapshot
# All checks should show green/undetected

Limitations

  • Cloudflare JS Challenge: May require headed mode + manual solve
  • CAPTCHAs: Requires external solver (2Captcha, etc.) — not built in
  • Very aggressive sites: May need proxy rotation (residential proxies)

Examples

Login to a Protected Site

node scripts/stealth-launch.js open https://target-site.com/login
node scripts/stealth-launch.js snapshot
node scripts/stealth-launch.js fill e1 "[email protected]"
node scripts/stealth-launch.js fill e2 "password"
node scripts/stealth-launch.js click e3
node scripts/stealth-launch.js screenshot
node scripts/stealth-launch.js close

Scrape Dynamic Content

node scripts/stealth-launch.js open https://news.site.com
node scripts/stealth-launch.js snapshot
# Identify article refs, then extract
node scripts/stealth-launch.js get html e5
node scripts/stealth-launch.js close

Stealth vs agent-browser

Feature agent-browser agent-browser-stealth
Anti-detection ❌ None ✅ 8 layers
Fingerprint spoofing ❌ None ✅ Canvas + WebGL
CDP-based ✅ Native Rust ✅ Playwright
Session isolation
Complexity Lightweight Slightly heavier
Best for General automation Protected sites
Usage Guidance
This skill is coherent with its stealth automation goal, but exercise caution before using it with real accounts or sensitive targets. Specific things to consider before installing or running: - 'snapshot' can capture input values (it records element.value slices), which may include passwords or tokens — avoid running snapshot on pages with credentials or remove/modify value-capture in the script. - The script writes a local session file (.session.json) and may save Playwright storageState files (auth.json) if you use session persistence; these files can contain authentication state—store them securely or disable persistence. - The --continue behavior will try to connect to http://localhost:9222 via CDP; ensure no remote-forwarded/exposed CDP ports are active to avoid unintended access. - The stealth init code overrides the Permissions API (returns 'granted') and spoofs fingerprints — that may confuse debugging and can bypass site protections; use it only where legally/ethically allowed. - The package instructs installing Playwright via npm/npx (network download). Review and run the included scripts in an isolated environment (container or VM) and read the source (scripts/stealth-launch.js) yourself. If you need a clean, lower-risk alternative: run a minimal automation wrapper that explicitly excludes capturing input values and does not persist session files, or modify the provided script to redact input values and store sessions in a secure, user-chosen path.
Capability Analysis
Type: OpenClaw Skill Name: agent-browser-stealth-xyh Version: 1.0.0 The agent-browser-stealth skill is a legitimate browser automation utility built on Playwright, designed to bypass bot detection mechanisms. The core logic in scripts/stealth-launch.js implements standard anti-detection techniques such as spoofing navigator.webdriver, masking the Chrome runtime, and patching WebGL/Canvas fingerprints, all of which are clearly documented in SKILL.md and EXAMPLES.md. The script provides a structured interface for an AI agent to interact with web elements via reference IDs, and it lacks any indicators of malicious intent, such as unauthorized data exfiltration, hidden network calls, or persistence mechanisms.
Capability Assessment
Purpose & Capability
Using Playwright and Chromium launch flags is consistent with the stated purpose of anti-detection automation. The included JS implements the claimed stealth techniques (navigator.webdriver masking, canvas/webgl spoofing, permissions override). However the snapshot feature also reads input 'value' attributes and returns them — a capability that can expose passwords or other sensitive fields and is not called out as a privacy/security caveat in SKILL.md.
Instruction Scope
SKILL.md instructs running the provided script and to use --continue to persist sessions but does not warn that 'snapshot' will collect element values (including input values), that a local .session.json is written, or that the script will attempt to connect to a CDP endpoint at http://localhost:9222 when resuming. The script also overrides Permissions API responses (for notifications/geolocation/etc.), which changes page behavior beyond simple navigation. These actions widen the agent's read/write scope and could leak sensitive data if used with real credentials or exposed CDP ports.
Install Mechanism
There is no automated installer in the registry entry; SKILL.md recommends installing Playwright via npm/npx (a standard, expected approach). No remote, untrusted binary downloads or extract-from-arbitrary-URL installs are present in the package files. Network access to npm is required by the user to obtain Playwright.
Credentials
The skill declares no credentials or env vars, which fits its purpose, but it still reads/writes local session files (.session.json and user-provided storageState files) and returns captured page element metadata and input values. That local file I/O and the ability to capture input values are disproportionate to a user expectation of 'stealth' — they introduce a credential-exposure risk even though no external secrets are requested.
Persistence & Privilege
always:false (no forced persistence), and the skill only writes a local .session.json to track active sessions (normal for session reuse). It also attempts to connect to a local CDP at http://localhost:9222 when resuming (only localhost). These are moderate privileges but not platform-global; still, resuming via CDP could behave unexpectedly if a CDP endpoint is forwarded/exposed.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install agent-browser-stealth-xyh
  3. After installation, invoke the skill by name or use /agent-browser-stealth-xyh
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
agent-browser-stealth 1.0.0 - Initial release of a stealth browser automation tool for evading detection on bot-protected sites. - Launches Chromium with multiple anti-detection techniques: fingerprint randomization, webdriver flag removal, Canvas/WebGL spoofing, and permissions API masking. - Provides CLI commands for opening pages, interacting with elements via refs, inspecting page data, and session management. - Supports Playwright session persistence for repeatable logins. - Designed for use cases like web scraping, login automation, and accessing protected content.
Metadata
Slug agent-browser-stealth-xyh
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Agent Browser Stealth?

Stealth browser automation with anti-detection. Launches Chromium with fingerprint randomization, webdriver flag removal, Canvas/WebGL spoofing, and permissi... It is an AI Agent Skill for Claude Code / OpenClaw, with 136 downloads so far.

How do I install Agent Browser Stealth?

Run "/install agent-browser-stealth-xyh" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Agent Browser Stealth free?

Yes, Agent Browser Stealth is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Agent Browser Stealth support?

Agent Browser Stealth is cross-platform and runs anywhere OpenClaw / Claude Code is available (darwin, linux, win32).

Who created Agent Browser Stealth?

It is built and maintained by bfchain2-hub (@bfchain2-hub); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463556 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259610 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200551 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191226 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190235 · by oswalpalash

💬 Comments