← Back to Skills Marketplace
web-collection
by
yiming1001
· GitHub ↗
· v1.2.6
· MIT-0
877
Downloads
0
Stars
0
Active Installs
19
Versions
Install in OpenClaw
/install web-collection
Description
Browser plugin data collection via a local bridge or cloud dispatch to a connected local connector, in strict synchronous closed-loop mode. Cloud mode includ...
Usage Guidance
Things to consider before installing or enabling this skill:
- The package metadata claims no required secrets, but the included scripts actually use and may request environment variables and tokens (WEB_COLLECTION_CLOUD_TOKEN / cloud device id and possibly WEB_COLLECTION_ADMIN_TOKEN or a token file at ~/.meixi-connector/bridge-admin-token.txt). That discrepancy is important — expect the skill to ask for or read tokens even though the registry entry omits them.
- Cloud dispatch defaults to https://i-sync.cn. The skill will send the full collect payload (wrapped with device_id and action) to that domain when using cloud mode and will poll for commands/results there. If you do not recognize or trust that endpoint, do not provide a cloud token or use cloud mode.
- The skill explicitly instructs using your normal Chrome profile. That means collection runs can interact with the real browser environment and may access data that you consider private. If you want to limit exposure, run the scripts in a sandboxed environment or insist on local isolated profiles/containers.
- The scripts will persist preferences under ~/.openclaw/skill-state/web-collection/preferences.json and can mask but store tokens there. Inspect that file if you use the skill. If you want to avoid persistent tokens, do not choose cloud mode or do not persist defaults that include tokens.
- The local flow may read a bridge admin token from ~/.meixi-connector/bridge-admin-token.txt and can start a bridge process using a provided BRIDGE_CMD (which executes via bash -lc). Only allow such operations if you control the bridge binary and trust the command to be run.
Recommended mitigations:
- Prefer local mode and verify the local bridge implementation yourself; run the bridge in a controlled environment.
- Do not provide a cloud API token or device id to this skill unless you can verify and trust the cloud operator (i-sync.cn) and the privacy policy of the collector.
- If you must test, run in an isolated VM/container and use a disposable Chrome profile to avoid exposing your normal browsing data.
- Review the included scripts (they are bundled here) and confirm no unexpected endpoints or logic changes before giving any secrets.
Confidence note: High confidence in these findings because the included scripts explicitly read env vars, a local token file, write preference files, and post to the stated cloud URL; the registry metadata omission of these requirements is an objective mismatch.
Capability Analysis
Type: OpenClaw Skill
Name: web-collection
Version: 1.2.6
The skill bundle facilitates browser data collection from platforms like Douyin and TikTok by interacting with a local bridge or a cloud API (https://i-sync.cn). It exhibits high-risk behaviors, including reading a local admin token from ~/.meixi-connector/bridge-admin-token.txt, requesting access to the user's primary Chrome profile, and executing shell commands via a configurable BRIDGE_CMD in scripts/collect_and_export_loop.sh. While these capabilities are aligned with the stated purpose of integrating with the 'Meixi Connector' ecosystem, the broad permissions and potential for command injection via environment variables or configuration warrant a suspicious classification.
Capability Tags
Capability Assessment
Purpose & Capability
The declared purpose (browser-extension data collection via a local bridge or cloud dispatch) matches the scripts' behavior: the scripts call local connector endpoints (/api/status, /api/collect, /api/tasks, /api/reset) and a cloud dispatch endpoint. However the skill metadata declares no required environment variables or credentials even though the scripts expect/accept many (WEB_COLLECTION_*, WEB_COLLECTION_CLOUD_TOKEN, etc.) and read a local admin token file (~/.meixi-connector/bridge-admin-token.txt). That mismatch between declared requirements and what the skill actually needs is an incoherence and raises concern.
Instruction Scope
SKILL.md instructs the agent to use the user's normal Chrome profile (not an isolated profile) and to run the included collection scripts until completion. Using the user's normal browser profile means the skill can interact with the real browsing environment and potentially collect sensitive user data. The instructions also mandate contacting either a local bridge (port 19820) or a cloud connector and to persist defaults to $HOME/.openclaw/skill-state/web-collection/preferences.json. These are within the stated purpose but expand the agent's reach to local browser state, local connector admin tokens, and remote cloud endpoints — more powerful than a simple API integration and requiring explicit disclosure.
Install Mechanism
There is no install spec that downloads remote code; the skill is instruction + included scripts (bash + node snippets). That limits supply-chain risk. The scripts do require local binaries (curl and node) at runtime; they check for them and will fail if missing. No external archives or shorteners are fetched by an installer here.
Credentials
Registry metadata lists no required environment variables or primary credential, but the scripts and SKILL.md actually read and rely on many environment values (WEB_COLLECTION_CONNECTION_MODE, WEB_COLLECTION_BRIDGE_URL, WEB_COLLECTION_CLOUD_BASE_URL, WEB_COLLECTION_CLOUD_DEVICE_ID, WEB_COLLECTION_CLOUD_TOKEN, WEB_COLLECTION_ADMIN_TOKEN, WEB_COLLECTION_BRIDGE_CMD, etc.) and will read a local file ~/.meixi-connector/bridge-admin-token.txt for a connector admin token if present. The cloud path uses an Authorization: Bearer <user_api_key> header and a default cloud base URL (https://i-sync.cn). Requesting or reading tokens and a local admin token file is proportionate to collection tasks, but the absence of those declarations in metadata and the presence of a default, non-obvious cloud endpoint are problematic and unexplained.
Persistence & Privilege
The skill persists preferences to $OPENCLAW_STATE_DIR/skill-state/web-collection/preferences.json or $HOME/.openclaw/skill-state/web-collection/preferences.json. It can also invoke a user-supplied BRIDGE_CMD (run with nohup bash -lc), which will execute arbitrary commands. The skill reads another tool's admin token file (~/.meixi-connector/bridge-admin-token.txt). While it does not request always:true, these file reads/writes and the ability to start arbitrary bridge commands increase its privilege and persistence on the host and warrant caution.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install web-collection - After installation, invoke the skill by name or use
/web-collection - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.2.6
Stop requiring executable bits on helper scripts; run preflight and preference helpers via bash so ClawHub-installed updates still start correctly when script permissions are stripped.
v1.2.5
Add local bridge admin auth handling and fix cloud command status parsing.
v1.2.4-beta.1
No user-visible changes in this version.
- No file changes detected compared to the previous version.
- Functionality, documentation, and behavior remain unchanged from the last release.
v1.2.3-beta.1
**Summary:** Improves environment variable handling, strictly separates local/cloud logic, and introduces new checks and documentation.
- Added `scripts/preflight_check.sh` to validate required defaults, skipping prompts when config is set via environment variables.
- Now strictly separates local (`scripts/collect_and_export_loop.sh`) and cloud (`scripts/cloud_dispatch_loop.sh`) send-command scripts—never mixes the two.
- Improved setup logic: never asks users for configuration if already present in environment variables.
- Bundled a new reference guide (`references/learning-guide.md`) for ambiguous or complex requests.
- Updated user flow and prompts to reflect the new logic and prevent redundant questions.
- Expanded documentation in SKILL.md to clarify setup, execution flow, and resource usage.
v1.2.3
Fix cloud status parsing bug: remove bare identifiers in json_get_string expression to prevent ReferenceError in cloud_dispatch_loop.sh.
v1.2.2
Add connector command ladder for progressive troubleshooting and cloud async status checks; enforce strict cloud payload defaults to prevent missing params.
v1.2.1
Add human tutorial reference (Feishu wiki) and document cloud async result querying via commands/{command_id} with result/task_updates; cloud loop now prefers single-command query with list fallback.
v1.2.0
Set fixed cloud base URL to https://i-sync.cn by default; cloud setup now requires only device_id and token; streamline first-run prompts accordingly.
v1.1.9
Refine first-run orchestration: choose local/cloud first, require cloud credentials before common defaults; add cloud dispatch path and related preferences.
v1.1.8
Unify CLI parameters, streamline the skill, and add first-run defaults with recommended setup.
v1.1.7
Add account/profile guardrails: when switching platforms, re-check the user's normal Chrome session and do not silently reuse stale browser attachments or alternate profiles.
v1.1.6
Clarify browser choice: prefer the user's regular Chrome with the installed extension, and do not default to the isolated openclaw browser profile.
v1.1.5
Require final reply to include export table link when available, and add a short analysis. Explicitly state when no table link was exported.
v1.1.4
Switch skill guidance to strict synchronous closed-loop mode; forbid intermediate replies before final task output.
v1.1.3
Add bridge reset recovery, prefer source bridge command when available, and improve idle handling for stuck running tasks.
v1.1.2
Clarify bridge base URL and connector path; update wrapper to use bundled loop and packaged macOS connector auto-detect.
v1.1.1
Polish SKILL.md trigger text, fix bundled run.sh, keep closed-loop bridge collection workflow ready for OpenClaw skill discovery.
v1.0.1
Use bash invocation for run.sh and collect loop to avoid executable-bit issues after install
v1.0.0
Initial public release with unified run.sh fast-path for local/cloud deployment
Metadata
Frequently Asked Questions
What is web-collection?
Browser plugin data collection via a local bridge or cloud dispatch to a connected local connector, in strict synchronous closed-loop mode. Cloud mode includ... It is an AI Agent Skill for Claude Code / OpenClaw, with 877 downloads so far.
How do I install web-collection?
Run "/install web-collection" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is web-collection free?
Yes, web-collection is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does web-collection support?
web-collection is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created web-collection?
It is built and maintained by yiming1001 (@yiming1001); the current version is v1.2.6.
More Skills