← 返回 Skills 市场
1164
总下载
0
收藏
2
当前安装
12
版本数
在 OpenClaw 中安装
/install browser-auth
功能描述
Start a secure remote browser tunnel for manual user authentication (solving Captchas, 2FA, logins) and capture session data. Built for AI Commander.
使用说明 (SKILL.md)
Browser Auth
This skill allows the agent to request the user to perform a manual login on a website and then capture the session cookies/localStorage for further automated work.
🚨 Security & Risk Mitigation
We take security seriously. Below is how we address common concerns related to remote browser control:
1. Remote Code Execution (RCE) Protection
- Always Sandboxed: Chromium runs with the system sandbox ENABLED. There is no option to disable it in the code. This prevents a malicious website from escaping the browser and executing code on your host.
- Isolation Recommendation: We recommend running this skill within an isolated container (Docker) or a dedicated VM for an extra layer of protection.
2. Token Leakage (Referrer Protection)
- Referrer Policy: The server enforces
Referrer-Policy: no-referrer. This ensures that even if you navigate to an untrusted site, your secretAUTH_TOKENis NEVER sent in the HTTP Referer header. - URL Cleansing: The interface automatically clears the
tokenparameter from your browser's address bar immediately after the page loads.
3. Data Sensitivity
- Session Artifacts: The
session.jsonfile contains active login cookies. Treat it with the same level of security as a password. - Mandatory Cleanup: Always delete the session file immediately after the agent finishes its task.
- No Persistence: This skill does not store credentials long-term or exfiltrate them to external servers.
4. Network Exposure
- Default Local Bind: By default, the server binds to
127.0.0.1. - Secure Access: If you need remote access, do not bind to
0.0.0.0directly. Instead, use a secure tunnel like Tailscale, Cloudflare Tunnel (cloudflared), or an SSH tunnel.
When to Use
- When a website requires manual interaction to solve Captcha or 2FA.
- When bot detection prevents automated login.
- When you want to authorize an agent without sharing your password.
Workflow
- Request Auth: Start the tunnel using
scripts/auth_server.js. - Provide Link: Share the link (including token) with the intended user over a secure channel.
- Wait for Session: The user logs in and clicks DONE in the web UI.
- Verify: Use
scripts/verify_session.jsto confirm the session is valid. - Cleanup: Delete the session file once the task is complete.
Tools
Start Auth Server
AUTH_HOST=127.0.0.1 AUTH_TOKEN=mysecret node scripts/auth_server.js \x3Cport> \x3Csession_file>
Verify Session
node scripts/verify_session.js \x3Csession_file> \x3Ctarget_url> \x3Cexpected_text>
Runtime Requirements
Requires: express, socket.io, playwright-core, and a system chromium-browser.
安全使用建议
This skill largely does what it says (launches a headless Chromium and captures cookies/localStorage), but several details are risky or inconsistent with its documentation. Before installing or running it:
- Treat the session file (session.json) as highly sensitive — delete it immediately after use and restrict file permissions.
- Always explicitly set AUTH_HOST=127.0.0.1 when starting the server (do not rely on defaults) to avoid accidental public exposure.
- Always set an explicit AUTH_TOKEN and share it over a secure channel; do not rely on auto-generated tokens if running in insecure environments.
- Run the skill inside an isolated environment (dedicated VM or container) and firewall the host/port; do not run on a host with public network access without a secure tunnel (SSH/Tailscale/Cloudflare Tunnel).
- Be aware the server prints the access URL/token to stdout — avoid running it where logs are collected or visible to others.
- Review the code and confirm npm packages will be installed from the official registry; consider installing dependencies in an isolated environment.
Given the mismatches (public bind default, on-disk persistence, token logging), proceed only if you understand and mitigate these risks. If you need, ask the author to change the default host to 127.0.0.1, avoid printing tokens in cleartext, and add an option to encrypt or avoid writing session data to disk by default.
功能分析
Type: OpenClaw Skill
Name: browser-auth
Version: 1.6.0
The skill is designed to capture sensitive user session data (cookies, localStorage), which is inherently risky but aligns with its stated purpose. The primary reason for 'suspicious' classification is that `scripts/auth_server.js` defaults the server bind address to `0.0.0.0` if the `AUTH_HOST` environment variable is not explicitly set. While `SKILL.md` documentation explicitly warns against using `0.0.0.0` without a secure tunnel, this default creates a significant network exposure vulnerability if the user ignores the warning, potentially allowing unauthorized access to the remote browser control interface. However, the code includes token-based authentication, security headers, and runs Chromium with sandboxing enabled by default, and there is no evidence of data exfiltration or other malicious intent.
能力评估
Purpose & Capability
The code, required binaries (node, chromium-browser), and npm deps (express, socket.io, playwright-core) match the stated purpose of launching a local headless Chromium and streaming control/screenshots for manual authentication. However the SKILL.md claims a default local bind of 127.0.0.1 and 'No Persistence', while the runtime behavior differs (see instruction_scope and environment_proportionality).
Instruction Scope
Runtime instructions align with the code's workflow (start server, share link, verify, delete session file). BUT the server, when invoked without AUTH_HOST set, binds to 0.0.0.0 by default (code: host = process.env.AUTH_HOST || '0.0.0.0') contrary to the SKILL.md claim. The code writes sensitive session data (cookies and localStorage) to a local session file without encryption and does not auto-delete it. The server prints an access link containing the token to stdout, which can leak the token via logs. These behaviors broaden the exposure surface beyond what's described.
Install Mechanism
The provided install step uses a standard npm install (express, socket.io, playwright-core). This is a common pattern for Node skills and is traceable to npm; it is not an arbitrary download. Installing playwright-core is moderately heavyweight and will require network access to the npm registry, but no untrusted URLs or extract-from-URL steps are present.
Credentials
The registry lists no required env vars, but SKILL.md and the code reference AUTH_HOST, AUTH_TOKEN, and BROWSER_PROXY. If AUTH_HOST is unset the code will bind publicly (0.0.0.0). The skill captures and persists session cookies/localStorage to disk (session.json) — highly sensitive data that the documentation downplays by saying 'No Persistence'. Requiring no credentials is coherent, but the combination of token-in-query links and token logging increases risk if the host is exposed.
Persistence & Privilege
The skill does not request platform-wide privileges and always:false (not force-included), which is good. However it persists sensitive artifacts to the filesystem, prints the access link/token to stdout, and — via its default host behavior — can expose the server to the network unintentionally. Those factors increase privilege/exposure risk in practice even though the skill does not modify system-wide configs.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install browser-auth - 安装完成后,直接呼叫该 Skill 的名称或使用
/browser-auth触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.6.0
Default host changed to 0.0.0.0 so the printed URL is accessible from outside (not localhost-only)
v1.5.1
Docs: Added dedicated Security & Risk Mitigation section addressing RCE, token leakage, and data sensitivity.
v1.5.0
Security: Added Referrer-Policy and security headers. Token is now cleared from URL after load. Updated registry metadata.
v1.4.2
I18n: Translated UI from Polish to English for public release.
v1.4.1
Fix: Robust asset delivery using fs.readFileSync to avoid Express sendFile issues.
v1.4.0
Security Hardening: Sandbox is now ALWAYS ENABLED. Removed unsafe flags. Integrated metadata into SKILL.md for registry consistency.
v1.3.0
Security Hardening: Removed hardcoded IP, declared env vars in metadata, added install spec, and improved documentation on sensitive data handling.
v1.2.2
Fix: Robust asset path resolution and debug logging.
v1.2.1
Fix: Absolute path resolution for assets when installed via ClawHub.
v1.2.0
Security Hardening: Enabled Chromium sandbox by default and added RCE warnings. Removed unsafe default flags.
v1.1.0
Security Update: Added token-based authentication and restricted default bind to localhost.
v1.0.0
Initial MVP: Interactive browser tunnel for manual 2FA/Captcha auth
元数据
常见问题
Browser Auth 是什么?
Start a secure remote browser tunnel for manual user authentication (solving Captchas, 2FA, logins) and capture session data. Built for AI Commander. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1164 次。
如何安装 Browser Auth?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install browser-auth」即可一键安装,无需额外配置。
Browser Auth 是免费的吗?
是的,Browser Auth 完全免费(开源免费),可自由下载、安装和使用。
Browser Auth 支持哪些平台?
Browser Auth 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Browser Auth?
由 Coder AI(@lksrz)开发并维护,当前版本 v1.6.0。
推荐 Skills