← Back to Skills Marketplace
t9530638

Termux Zero Token

by t9530638 · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
89
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install termux-zero-token
Description
在 Termux 上利用手機 Chrome 已登入的 cookies 免費調用 DeepSeek、Kimi、Qwen、GLM 等多款 AI 模型。
Usage Guidance
This skill does what it claims (uses ADB/Chrome remote debugging to steal cookies from your phone and reuse them to call AI services), but that capability is sensitive and risky. Before installing or running it, consider: 1) Only use on a device/account you fully control and that has no payment or sensitive data; these cookies can allow account takeover. 2) Review the code yourself (or have a trusted reviewer) — it saves cookies unencrypted to ~/.openclaw/zero-token/credentials.json for 7 days. 3) Running npm install will fetch playwright-core and its dependencies; be prepared for large installs and platform dependencies. 4) This approach likely violates the providers' terms of service and could lead to account suspension. 5) If you still want to try it, run it in an isolated environment (throwaway account / VM), remove stored credentials after use, and monitor network activity. 6) If you need legitimate API access, prefer official API keys or provider-approved SDKs rather than extracting browser sessions. Finally, given the sensitive nature of what it does, treat this skill as high-risk and avoid using it on primary or shared accounts.
Capability Analysis
Type: OpenClaw Skill Name: termux-zero-token Version: 1.0.0 The skill bundle automates the extraction of sensitive session cookies from a phone's Chrome browser via ADB and Chrome DevTools Protocol (CDP) to bypass AI provider API limits. While the code in src/index.ts and the provider scripts (e.g., src/providers/deepseek-stream.ts) appears to use these credentials locally to communicate with official AI endpoints like api.deepseek.com and api.moonshot.cn, the practice of scraping and storing raw session cookies in ~/.openclaw/zero-token/credentials.json is high-risk. Although no evidence of exfiltration to a third party was found, the tool's core functionality relies on bypassing security boundaries and Terms of Service, which is inherently risky behavior.
Capability Assessment
Purpose & Capability
The name/description claim to use a phone Chrome session to call DeepSeek/Kimi/Qwen/GLM without API keys; the source files implement exactly that: connecting to Chrome CDP over localhost:9222 via Playwright, reading cookies for provider domains, and calling provider endpoints with those cookies or extracted tokens. Saving credentials to ~/.openclaw/zero-token/credentials.json is consistent with the stated goal. The Playwright dependency is logically required for CDP access.
Instruction Scope
SKILL.md explicitly instructs the user to enable ADB forwarding and Chrome remote debugging, then 'import credentials' (i.e., capture cookies/session). The code captures cookies for provider domains and saves them locally. Capturing browser cookies is intrinsically high-risk: these are sensitive session credentials that can grant account access. The instructions and code also encourage enabling remote debugging on a phone (broad access to the device's browser session). While scoped to listed providers' domains, the runtime has access to the phone's browser via CDP and could be extended to capture other data. The SKILL.md also triggered a prompt-injection scanner finding (system-prompt-override) — the file references 'systemPrompt' in examples; this is likely benign in context but worth noting.
Install Mechanism
There is no explicit install specification (instruction-only style), but package.json declares a dependency on 'playwright-core'. Playwright can be large and may pull in native artifacts or require additional platform-specific setup. No remote downloads from unknown URLs are present in the skill bundle itself. Because there's no install spec in the skill metadata, installing/running this code will require npm install which will fetch packages from the public registry — normal but non-trivial.
Credentials
The skill requests no declared environment variables, but it requires ADB access to a user's phone and direct access to mobile Chrome sessions. It persists cookies and optional userAgent into an unencrypted file (~/.openclaw/zero-token/credentials.json) for 7 days. Storing session cookies is equivalent to storing account credentials and is disproportionate in sensitivity even if logically needed to achieve the stated feature. There are no additional external secret requirements, and the provider cookieDomains restrict what it collects, but that still grants full session-level access to those accounts.
Persistence & Privilege
The skill writes persistent credentials to the user's home directory under ~/.openclaw/zero-token and sets an expiresAt timestamp (7 days). always is false (no unconditional inclusion). The skill does not modify other skills or global agent config. Allowing autonomous invocation is the platform default; combined with persistent sensitive data it increases blast radius if the agent uses the stored cookies without user confirmation.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install termux-zero-token
  3. After installation, invoke the skill by name or use /termux-zero-token
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
termux-zero-token 1.0.0 - 全新發佈:在 Android Termux 上使用手機 Chrome 的已登入帳戶,無需 API Key 免費調用 DeepSeek、Kimi、Qwen、GLM 等 AI 模型 - 支援多家 AI 服務商及多種模型,完全免費,利用瀏覽器 cookies 模擬登錄 - 一鍵提取 credentials,自動連接手機 Chrome(需開啟 adb port forwarding) - 詳細引導安裝、使用、技術原理與商業模式 - 說明限制:cookies 需定期更新,僅供個人用途,不保證長期有效
Metadata
Slug termux-zero-token
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Termux Zero Token?

在 Termux 上利用手機 Chrome 已登入的 cookies 免費調用 DeepSeek、Kimi、Qwen、GLM 等多款 AI 模型。 It is an AI Agent Skill for Claude Code / OpenClaw, with 89 downloads so far.

How do I install Termux Zero Token?

Run "/install termux-zero-token" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Termux Zero Token free?

Yes, Termux Zero Token is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Termux Zero Token support?

Termux Zero Token is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Termux Zero Token?

It is built and maintained by t9530638 (@t9530638); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments