← Back to Skills Marketplace
Internal Admin Playwright
by
wulooongcha
· GitHub ↗
· v1.0.0
· MIT-0
66
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install internal-admin-playwright
Description
Python + Playwright 内部后台自动化技能,支持 VPN(L2TP/IPsec) 可配置接入、严格域名白名单、中文指令路由(例如进入评论管理到视频评论、进入文章管理到文章列表)与固定流程执行。用于受控访问内网后台、禁止外网访问并按预设命令执行菜单操作。
README (SKILL.md)
Internal Admin Playwright
执行流程
- 加载
references/vpn_config.yaml(可选自动 VPN)。 - 加载
references/whitelist.yaml(白名单和域名解析覆盖)。 - 执行
scripts/run.py --command "\x3C中文指令>"。
命令示例
python3 scripts/run.py --command "进入文章管理->文章列表"
python3 scripts/run.py --command "进入评论管理->视频评论"
配置点
- VPN:
references/vpn_config.yaml - 访问边界白名单:
references/whitelist.yaml - 指令路由:
references/menu_map.yaml
环境变量
STAFF_USERNAME/STAFF_PASSWORDGOOGLE_OTP(或页面“标识码/动态码”)LOGIN_URL(默认 mogusp 登录页)AUTO_VPN=1(执行前自动vpn up,结束自动vpn down)HEADLESS=1|0FORCE_IPV4=1|0
VPN 手动命令
python3 scripts/vpn_l2tp.py up
python3 scripts/vpn_l2tp.py status
python3 scripts/vpn_l2tp.py down
约束
- 未在白名单的域名请求会被直接阻断。
- 未定义命令不会执行(必须先配置
menu_map.yaml)。 - 凭据仅通过环境变量或
vpn_config.yaml维护,不要硬编码到脚本。
Usage Guidance
This skill implements exactly the advertised automation but requires high privileges and contains surprising/unsafe defaults. Before installing or running it: 1) Do NOT run it on a production or sensitive host; run in an isolated VM/container with no access to your real credentials or network. 2) Remove or replace the committed references/vpn_config.yaml (it contains cleartext VPN credentials) and never keep production secrets in the repo — use a secret manager or pass them via environment only at runtime. 3) Expect to run parts of this as root (VPN setup) — review and approve every command that writes to /etc or changes routing. If you won't grant root, disable AUTO_VPN and avoid running vpn_l2tp.py. 4) Audit and optionally remove proxy usage (HTTP_PROXY/HTTPS_PROXY) so traffic cannot be routed through an attacker-controlled proxy. 5) Note the code reads a fallback rules file in the user's home (~/.openclaw/skills/...), which is cross-skill file access; ensure that file is safe or modify the code to avoid reading outside the skill directory. 6) Review code for bugs and edge cases (e.g., review_comments.py references processed_ids but it is not initialized — this will raise errors). 7) If you intend to use it, replace embedded secrets with templates, document required env vars in registry metadata, and run a manual review and least-privilege deployment (dedicated VM, network restrictions, no sensitive account reuse). If you cannot perform these steps, treat the skill as too risky to run.
Capability Analysis
Type: OpenClaw Skill
Name: internal-admin-playwright
Version: 1.0.0
The skill bundle contains high-risk system-level operations and hardcoded credentials. Specifically, `scripts/vpn_l2tp.py` overwrites critical system configuration files (e.g., `/etc/ipsec.conf`, `/etc/ipsec.secrets`, `/etc/ppp/options.xl2tpd`) and terminates system processes like `xl2tpd` and `pppd`, which could disrupt host networking. Additionally, `references/vpn_config.yaml` and `debug/login_test.py` contain hardcoded credentials for a VPN server (172.104.49.25) and an administrative backend (staff.bluemv.net). While these actions align with the stated purpose of automating an internal admin panel via VPN, the intrusive nature of the scripts and the use of `shell=True` in subprocess calls present significant security risks.
Capability Assessment
Purpose & Capability
Name/description align with the included scripts: Playwright automation, menu routing, whitelist, and VPN helpers. However registry metadata declared no required env vars while SKILL.md (and the code) expect STAFF_USERNAME/STAFF_PASSWORD, GOOGLE_OTP, AUTO_VPN, HEADLESS, etc. Also the repository includes a populated references/vpn_config.yaml (server/username/password/psk) which is unexpected to ship as plaintext in a skill package.
Instruction Scope
Runtime instructions (SKILL.md and scripts) instruct the agent to: potentially bring up an L2TP/IPsec VPN, modify system VPN files, change routing, and launch a browser context that will route requests via a proxy if HTTP_PROXY is set. The code also attempts to read a fallback rules.json from Path.home() (other skill data in the user's home), which is cross-skill file access not documented in SKILL.md. These behaviors go beyond simple page automation and require explicit user consent and environment isolation.
Install Mechanism
No install spec is included in the registry, but the README documents installing Python deps and Playwright browsers (requirements.txt references playwright==1.53.0). That's reasonable, but running Playwright also requires installing browser binaries (not automatic from the registry) and the README indicates such steps. No remote, untrusted downloads were found in the skill itself.
Credentials
The skill expects/reads sensitive credentials (staff account, OTP) via environment variables and also ships a references/vpn_config.yaml containing a server, username, password and PSK — sensitive secrets committed in the package. The registry metadata did not declare required envs, creating an inconsistency. The code honors HTTP_PROXY/HTTPS_PROXY and will route all Playwright traffic through an arbitrary proxy if set, which could be used to exfiltrate credentials unless the user controls that proxy.
Persistence & Privilege
The VPN helper writes system files under /etc (ipsec.conf, ipsec.secrets, xl2tpd and ppp options) and runs privileged network commands (ipsec up/down, ip route replace, starting xl2tpd, pkill, etc.). These actions require root and modify host network configuration — a high privilege and persistent effect on the machine. The skill is not marked always:true, but it nevertheless performs system-level changes when invoked.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install internal-admin-playwright - After installation, invoke the skill by name or use
/internal-admin-playwright - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of internal-admin-playwright.
- Provides automated internal admin panel access with Python + Playwright.
- Supports configurable VPN (L2TP/IPsec) access and strict domain whitelist.
- Allows control via Chinese command routing and fixed process execution.
- Restricts access to internal networks; all commands and menu operations must be pre-configured.
- Credentials handled only via environment variables or config files; no hardcoding allowed.
Metadata
Frequently Asked Questions
What is Internal Admin Playwright?
Python + Playwright 内部后台自动化技能,支持 VPN(L2TP/IPsec) 可配置接入、严格域名白名单、中文指令路由(例如进入评论管理到视频评论、进入文章管理到文章列表)与固定流程执行。用于受控访问内网后台、禁止外网访问并按预设命令执行菜单操作。 It is an AI Agent Skill for Claude Code / OpenClaw, with 66 downloads so far.
How do I install Internal Admin Playwright?
Run "/install internal-admin-playwright" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Internal Admin Playwright free?
Yes, Internal Admin Playwright is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Internal Admin Playwright support?
Internal Admin Playwright is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Internal Admin Playwright?
It is built and maintained by wulooongcha (@wulooongcha); the current version is v1.0.0.
More Skills