← Back to Skills Marketplace
901
Downloads
1
Stars
8
Active Installs
1
Versions
Install in OpenClaw
/install pinchtab-skills
Description
通过 PinchTab HTTP API 控制无头或有头 Chrome 浏览器,用于网页自动化、爬虫、表单填充、导航、截图和数据提取
Usage Guidance
This skill is coherent with its stated purpose, but you must make operational choices carefully: 1) Do not point BRIDGE_PROFILE at your everyday Chrome profile — create and use an empty dedicated profile to avoid exposing saved logins. 2) Keep BRIDGE_BIND=127.0.0.1 and set BRIDGE_TOKEN if the service is reachable from any network; if you must bind publicly, restrict access with firewall rules. 3) Avoid disabling the Chrome sandbox (BRIDGE_NO_SANDBOX) unless you understand the risk. 4) There is no packaged installer or bundled binary — verify and obtain the pinchtab executable from a trusted source before running. 5) If you plan to allow an autonomous agent to call this API, consider limiting its permissions and monitoring requests/logs. If you want a deeper assessment, provide the pinchtab binary source or a release URL so I can evaluate install provenance and the binary itself.
Capability Analysis
Type: OpenClaw Skill
Name: pinchtab-skills
Version: 1.0.0
The 'pinchtab' skill provides a browser automation framework via an HTTP API, allowing an AI agent to navigate, interact with elements, and extract data from web pages. It includes detailed security documentation (TRUST.md) advising on the use of dedicated profiles and authentication tokens to mitigate risks. No evidence of malicious intent, data exfiltration, or prompt injection was found; the high-risk capabilities (like JavaScript execution via the /eval endpoint) are standard for its stated purpose of web automation.
Capability Assessment
Purpose & Capability
Name/description claim a local HTTP API to control Chrome; all included docs and examples show use of a local pinchtab binary and a local HTTP API on port 9867. The declared requirements are minimal (no env vars required by the registry), which matches the instruction-only nature of the skill. Nothing in the docs asks for unrelated services or secrets.
Instruction Scope
SKILL.md instructs the agent to start and call a local pinchtab process and to interact with its HTTP endpoints (navigate, snapshot, action, etc.). This stays within the stated browser-automation scope. Important caveat: the docs explicitly note that if you point PinchTab at a Chrome profile containing saved logins/cookies, the agent (and any callers of the API) can access authenticated sites. The instructions also encourage binding and tokens, which is good, but they implicitly permit disabling Chrome sandbox (BRIDGE_NO_SANDBOX) and changing bind address — both are powerful options that increase risk if misused.
Install Mechanism
There is no install spec — lowest-risk delivery in that nothing is written by the skill package itself. However, that means the skill expects an external 'pinchtab' binary already present; obtaining and verifying that binary is the user's responsibility. The documentation does not include a trusted download/source or release host; verify the origin of the pinchtab binary before running.
Credentials
The skill does not require unrelated secrets. Documented environment variables (BRIDGE_BIND, BRIDGE_PORT, BRIDGE_TOKEN, BRIDGE_PROFILE, BRIDGE_BLOCK_IMAGES, etc.) are relevant to its function. Two environment-related concerns to be aware of: (1) BRIDGE_PROFILE can give the process access to cookies/saved passwords if you point it at your daily Chrome profile; (2) BRIDGE_BIND set to 0.0.0.0 or omitting BRIDGE_TOKEN exposes the API to the network. The docs call these out, which is appropriate.
Persistence & Privilege
The skill is instruction-only and not always-enabled; it does not request persistent elevated platform privileges, nor does it modify other skills or global agent configuration. Autonomous invocation is allowed (platform default), which is expected for a skill that will make local HTTP calls; this increases blast radius only if you run the pinchtab service with an unsafe configuration (public bind, no token, or shared profile).
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install pinchtab-skills - After installation, invoke the skill by name or use
/pinchtab-skills - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of pinchtab-skills 1.0.0:
- Introduces browser automation via the PinchTab HTTP API for navigation, crawling, form-filling, screenshots, and data extraction on local headless or GUI Chrome.
- Provides detailed CLI and HTTP API examples for interacting with web pages programmatically.
- Includes security guidance & best practices for running PinchTab safely and efficiently.
- Offers workflow samples, token optimization strategies, and multi-tab session handling.
- Documents all core commands, API endpoints, usage patterns, and environment variables.
Metadata
Frequently Asked Questions
What is pinchtab-skill?
通过 PinchTab HTTP API 控制无头或有头 Chrome 浏览器,用于网页自动化、爬虫、表单填充、导航、截图和数据提取. It is an AI Agent Skill for Claude Code / OpenClaw, with 901 downloads so far.
How do I install pinchtab-skill?
Run "/install pinchtab-skills" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is pinchtab-skill free?
Yes, pinchtab-skill is completely free (open-source). You can download, install and use it at no cost.
Which platforms does pinchtab-skill support?
pinchtab-skill is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created pinchtab-skill?
It is built and maintained by 张贝 (@hellotombruce); the current version is v1.0.0.
More Skills