功能描述

Headless browser server enabling AI agents to create tabs, navigate, interact, and capture snapshots with element references locally or in the cloud.

使用说明 (SKILL.md)

camofox-browser Agent Guide

Name: Camofox Browser
Author: sheffk78

Headless browser automation server for AI agents. Run locally or deploy to any cloud provider.

Quick Start for Agents

# Install and start
npm install && npm start
# Server runs on http://localhost:9377

Core Workflow

Create a tab → Get tabId
Navigate → Go to URL or use search macro
Get snapshot → Receive page content with element refs (e1, e2, etc.)
Interact → Click/type using refs
Repeat steps 3-4 as needed

API Reference

Create Tab

POST /tabs
{"userId": "agent1", "sessionKey": "task1", "url": "https://example.com"}

Returns: {"tabId": "abc123", "url": "...", "title": "..."}

Navigate

POST /tabs/:tabId/navigate
{"userId": "agent1", "url": "https://google.com"}
# Or use macro:
{"userId": "agent1", "macro": "@google_search", "query": "weather today"}

Get Snapshot

GET /tabs/:tabId/snapshot?userId=agent1

Returns accessibility tree with refs:

[heading] Example Domain
[paragraph] This domain is for use in examples.
[link e1] More information...

Click Element

POST /tabs/:tabId/click
{"userId": "agent1", "ref": "e1"}
# Or CSS selector:
{"userId": "agent1", "selector": "button.submit"}

Type Text

POST /tabs/:tabId/type
{"userId": "agent1", "ref": "e2", "text": "hello world"}
# Add enter: {"userId": "agent1", "ref": "e2", "text": "search query", "pressEnter": true}

Scroll

POST /tabs/:tabId/scroll
{"userId": "agent1", "direction": "down", "amount": 500}

Navigation

POST /tabs/:tabId/back     {"userId": "agent1"}
POST /tabs/:tabId/forward  {"userId": "agent1"}
POST /tabs/:tabId/refresh  {"userId": "agent1"}

Get Links

GET /tabs/:tabId/links?userId=agent1&limit=50

Close Tab

DELETE /tabs/:tabId?userId=agent1

Search Macros

Use these instead of constructing URLs:

Macro	Site
`@google_search`	Google
`@youtube_search`	YouTube
`@amazon_search`	Amazon
`@reddit_search`	Reddit
`@wikipedia_search`	Wikipedia
`@twitter_search`	Twitter/X
`@yelp_search`	Yelp
`@linkedin_search`	LinkedIn

Element Refs

Refs like e1, e2 are stable identifiers for page elements:

Call /snapshot to get current refs
Use ref in /click or /type
Refs reset on navigation - get new snapshot after

Session Management

userId isolates cookies/storage between users
sessionKey groups tabs by conversation/task (legacy: listItemId also accepted)
Sessions timeout after 30 minutes of inactivity
Delete all user data: DELETE /sessions/:userId

Running Engines

Camoufox (Default)

npm start
# Or: ./run.sh

Firefox-based with anti-detection. Bypasses Google captcha.

Testing

npm test              # E2E tests
npm run test:live     # Live Google tests
npm run test:debug    # With server output

Docker

docker build -t camofox-browser .
docker run -p 9377:9377 camofox-browser

Key Files

server.js - Camoufox engine (routes + browser logic only — NO process.env or child_process)
lib/config.js - All process.env reads centralized here
lib/youtube.js - YouTube transcript extraction via yt-dlp (child_process isolated here)
lib/launcher.js - Subprocess spawning (child_process isolated here)
lib/cookies.js - Cookie file I/O
lib/metrics.js - Prometheus metrics (lazy-loaded, off by default — set PROMETHEUS_ENABLED=1)
lib/request-utils.js - HTTP request classification helpers (actionFromReq, classifyError)
lib/snapshot.js - Accessibility tree snapshot
lib/macros.js - Search macro URL expansion
Dockerfile - Production container

OpenClaw Scanner Isolation (CRITICAL)

OpenClaw's skill-scanner flags plugins that have process.env + network calls (e.g. app.post, fetch, http.request) in the same file, or child_process + network calls in the same file. These patterns suggest potential credential exfiltration.

Rule: No single .js file may contain both halves of a scanner rule pair:

process.env lives ONLY in lib/config.js
child_process / execFile / spawn live ONLY in lib/youtube.js and lib/launcher.js
server.js has the Express routes (app.post, app.get) but ZERO process.env reads and ZERO child_process imports
lib/metrics.js has NO process.env and NO HTTP method strings (POST, fetch). Prometheus is lazy-loaded only when PROMETHEUS_ENABLED=1.
lib/request-utils.js has HTTP method strings (POST) but NO process.env — safe.
When adding new features that need env vars or subprocesses, put that code in a lib/ module and import the result into server.js

Scanner rule details (from src/security/skill-scanner.ts):

env-harvesting (CRITICAL): fires when /process\.env/ AND /\bfetch\b|\bpost\b|http\.request/i match the SAME file. Note: the regex is case-insensitive, so string literals like 'POST' and even comments containing process.env will trigger it.
dangerous-exec (CRITICAL): child_process import + exec/spawn call in same file
potential-exfiltration (WARN): readFile + fetch/post/http.request in same file

This was broken in 1.3.0 (YouTube child_process in server.js), fixed in 1.3.1. Broken again in 1.4.1 (metrics.js had process.env in a comment + 'POST' in actionFromReq), fixed in 1.5.1 by lazy-loading prom-client and splitting actionFromReq into lib/request-utils.js.

安全使用建议

This package appears to be a real headless-browser server, but there are a few non-trivial security considerations you should check before installing or running it in your OpenClaw agent environment: - Inspect plugin.ts / the OpenClaw integration entrypoint to confirm how the server subprocess is launched. Specifically ensure it does NOT forward the entire host process.env into the server child process. A safe launcher should build an explicit whitelist of only the environment variables the server truly needs (CAMOFOX_PORT, CAMOFOX_COOKIES_DIR, etc.) and exclude unrelated host secrets. - Treat CAMOFOX_API_KEY, proxy credentials (PROXY_USERNAME/PROXY_PASSWORD), and cloud tokens (FLY_API_TOKEN, etc.) as sensitive. If you enable cookie import or proxy features, set these in isolated container/VM secrets (not in a general shell profile) and prefer starting the server manually in that environment rather than letting the plugin spawn it inside a host process that has many other secrets. - The cookie-import flow reads local Netscape-format files and posts cookie data to the server. The code enforces an allowlist directory and file-size limits, which is good — still, only place cookie files you trust into the configured cookies directory. - The project downloads/uses external browser binaries (Camoufox) and optionally yt-dlp; verify the download sources (URLs) before running, and prefer sandboxed execution (separate VM or container) for initial evaluation. - If you do not fully trust the source, run the server in an isolated environment (container/VM) with minimal environment variables set, do not set global CAMOFOX_API_KEY on your workstation, and review plugin launch behavior carefully. If you want, provide the plugin author or repo URL so you can audit plugin.ts and server.js specifically — the assessment would be higher-confidence if those files are reviewed in full.

功能分析

Type: OpenClaw Skill Name: camofox-browser Version: 1.0.0 The camofox-browser bundle is a legitimate and well-architected browser automation server designed for AI agents. It provides high-risk but functional capabilities such as arbitrary JavaScript evaluation (camofox_evaluate), cookie injection for authenticated sessions, and subprocess execution for YouTube transcript extraction (via yt-dlp in lib/youtube.js). These features are aligned with the stated purpose of bypassing bot detection and are protected by security measures including API/Admin key requirements and environment variable whitelisting. The documentation (SKILL.md) explicitly discusses 'Scanner Isolation' techniques to avoid false positives in security scanners by separating sensitive operations (like reading env vars) from network calls, which is implemented cleanly across the codebase (e.g., lib/config.js).

能力标签

cryptorequires-oauth-tokenrequires-sensitive-credentials

能力评估

✓ Purpose & Capability

The files and APIs match the stated purpose: a headless-browser REST server with snapshotting, element refs, cookie import, downloads, proxy support, and optional yt-dlp integration. Modules (cookies, proxy, downloads, snapshot, macros) are coherent with the description.

⚠ Instruction Scope

SKILL.md instructs agents to read local cookie files and POST them to the server (cookie import). The implementation includes path traversal checks and file-size limits, which mitigates some risk, but the overall flow still requires an API key and allows reading local cookie files (sensitive). The README/SKILL.md also documents many env vars (API key, proxy creds, Fly tokens) that the server will read and use; if those are exposed to the plugin process or forwarded to subprocesses, secrets could be leaked. The guide's claim that server.js contains no process.env / child_process seems intended to satisfy scanners, but the codebase does spawn subprocesses (launcher.js, youtube.js) and centralizes env reads in lib/config.js — you'll want to inspect exactly how plugin.ts / openclaw integration launches the server at runtime.

ℹ Install Mechanism

This is instruction-only in the registry (no install spec), which reduces automatic install risk. The README references downloading a large Camoufox binary (~300MB) and a Docker build that expects pre-fetched binaries — those downloads are external and should be verified (source URLs not included in the registry metadata). No packaged install script in the skill was provided.

⚠ Credentials

The centralized config (lib/config.js) reads many environment variables (CAMOFOX_API_KEY, CAMOFOX_ADMIN_KEY, PROXY_USERNAME/PASSWORD, FLY_API_TOKEN, etc.). lib/config.js exposes a serverEnv object containing these values. launcher.js spawns a subprocess and spreads a provided env object into the child (env: { ...env, CAMOFOX_PORT: String(port) }), which means if the plugin or launcher is given the full host process.env, secrets could be forwarded to the server subprocess. These environment variables are functionally relevant to proxying, cookie import, and cloud deploy, but the skill metadata lists no required envs — so the skill expects sensitive secrets if you enable features. Ensure the plugin uses an explicit whitelist and does not pass the entire host environment.

ℹ Persistence & Privilege

always is false. The skill is user-invocable and allows autonomous model invocation (default), which is normal for skills. The ability to spawn and manage a long-running local server subprocess increases blast radius if the plugin is invoked autonomously and is given broad env access — consider restricting agent autonomy or running the server in an isolated environment if you plan to give it sensitive envs or proxy credentials.

版本历史

v1.0.0

Initial release of camofox-browser: headless browser automation server for AI agents. - Implements REST API for browser tab creation, navigation, element interaction, and session management. - Supports search macros for Google, YouTube, Amazon, and other major sites. - Provides stable element references, user/session isolation, and robust session timeout/deletion. - Engineered for secure deployment: codebase structured to avoid credential exfiltration risks flagged by OpenClaw scanner. - Includes Docker support, E2E testing, and modular file organization for process/env and subprocess handling.

元数据

Slug camofox-browser

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题

Camofox Browser 是什么？

Headless browser server enabling AI agents to create tabs, navigate, interact, and capture snapshots with element references locally or in the cloud. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 145 次。

如何安装 Camofox Browser？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install camofox-browser」即可一键安装，无需额外配置。

Camofox Browser 是免费的吗？

是的，Camofox Browser 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

Camofox Browser 支持哪些平台？

Camofox Browser 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Camofox Browser？

由 sheffk78（@sheffk78）开发并维护，当前版本 v1.0.0。

Camofox Browser