← 返回 Skills 市场

PinchTab

Name: PinchTab
Author: dexifried

作者 dexifried · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

206

总下载

当前安装

版本数

在 OpenClaw 中安装

/install dexifried-pinchtab

功能描述

Browser automation via HTTP API. Use for headless browser control, web automation, form filling, data extraction, and interactive element interaction. Suppor...

使用说明 (SKILL.md)

PinchTab Skill

Description

PinchTab is an HTTP server that provides programmatic control over a browser. It supports launching browser instances, navigating to pages, extracting page structure, and interacting with elements like buttons or forms.

When to Use

Use this skill for tasks like:

Automating browser workflows (e.g., logins, form submissions).
Extracting data or snapshots from web pages.
Testing interactive web elements.

Quick Start

Below is a guide to using the PinchTab skill:

1. Launching a Browser Instance

You can launch a new browser instance via the API:

bash scripts/launch_browser.sh

2. Navigating to a URL

Navigate to a URL with the following command:

bash scripts/navigate_to_url.sh https://example.com

3. Extracting Page Snapshot

Get the page structure and save it locally:

bash scripts/get_page_snapshot.sh

4. Clicking an Element

Simulate a button click on a webpage:

bash scripts/click_element.sh "\x3Ccss_selector>"

5. Taking Screenshots (Base64 Decode + Send to Telegram)

Capture a screenshot, decode the base64, and send to Telegram:

Bash:

export PINCHTAB_TOKEN="your_token"
export TELEGRAM_BOT_TOKEN="your_bot_token"
bash scripts/screenshot_and_send.sh \x3Ctab_id> \x3Ctelegram_chat_id>

Python (more features):

export PINCHTAB_TOKEN="your_token"
python3 scripts/decode_screenshot.py \x3Ctab_id> \
  --output /path/to/screenshot.jpg \
  --send-telegram \x3Cchat_id> \
  --caption "My screenshot"

Example: Google Homepage

PinchTab successfully navigated to Google and extracted the page structure:

Google Screenshot

This demonstrates:

Browser launch and page navigation
Interactive element extraction (About, Store, Advertising links, etc.)
Ready for automation (clicking, form filling, data extraction)

Documentation

Check the references/ folder for detailed API documentation, common workflows, and troubleshooting tips.

安全使用建议

Review the scripts before running. Key things to check: 1) The repo embeds a bearer token (b6a9...) in several scripts and docs — treat that as a secret of unknown origin; do not assume it is safe. 2) The metadata declares no required environment variables or binaries, but the scripts require curl, jq, base64, mktemp, and python3 with the requests package; ensure those are present and correct. 3) Screenshot flows can send images to Telegram (external network) and will copy files into the agent workspace; avoid running these scripts with elevated privileges and consider running them in a sandbox. 4) Confirm there is a legitimate local PinchTab server at http://localhost:9867 before using the scripts — the skill does not install that server. 5) Prefer using your own PINCHTAB_TOKEN/TELEGRAM_BOT_TOKEN (exported as env vars) and remove or rotate any embedded tokens. If you need a clean install path or provenance for the server binary/token, ask the publisher for source/build instructions and justification for the embedded token; until then treat the package as untrusted.

功能分析

Type: OpenClaw Skill Name: dexifried-pinchtab Version: 1.0.0 The skill provides browser automation tools but includes high-risk data exfiltration capabilities and hardcoded credentials. Specifically, 'scripts/screenshot_and_send.sh' and 'scripts/decode_screenshot.py' are designed to send browser screenshots to external Telegram bots (api.telegram.org), a common pattern for data exfiltration. Additionally, multiple files (e.g., 'scripts/launch_browser.sh' and 'references/api-endpoints.md') contain a hardcoded API bearer token (b6a91002205211861a1840bc7d1f55e98757ba635436b5a7), which is a significant security vulnerability.

能力评估

⚠ Purpose & Capability

The name/description (HTTP browser automation) aligns with the scripts and API docs: the files call a localhost HTTP API to launch/navigate/click and fetch screenshots. However several pieces don't belong or are under-specified: a bearer token is embedded in reference docs and multiple shell scripts (suggesting a baked-in credential), and the SKILL metadata declares no required env vars or binaries even though scripts need curl, jq, base64, mktemp and python3+requests. That mismatch is disproportionate to the stated purpose.

⚠ Instruction Scope

Runtime instructions direct the agent/user to run the included scripts to interact with http://localhost:9867 and to export PINCHTAB_TOKEN/TELEGRAM_BOT_TOKEN for some flows. The scripts themselves use a hard-coded Authorization token for many endpoints, fetch/decode base64 screenshots, optionally send images to Telegram (external network), and copy artifacts into /root/.openclaw/workspace/skills/pinchtab/assets — writing into the agent workspace. These actions extend beyond simple in-memory automation: they persist files and can transmit data externally (Telegram).

ℹ Install Mechanism

There is no install spec (instruction-only with scripts), which reduces installer risk. However the packaged scripts will be executed as-is and rely on external binaries and Python packages that are not declared. Because files will be executed from disk, the lack of an install or verification step means you must review script contents before running.

⚠ Credentials

The skill metadata lists no required env vars, yet SKILL.md and scripts expect PINCHTAB_TOKEN and optionally TELEGRAM_BOT_TOKEN. Worse, many shell scripts and API docs include a hard-coded bearer token (b6a9100...), which is effectively an embedded secret. This is disproportionate: a browser automation helper should accept a user-provided token or no token, not ship with/require an undeclared credential. The scripts also assume presence of tools (jq, curl, base64, python3, requests) that the manifest doesn't list.

✓ Persistence & Privilege

always:false and no system-wide installs or modifications are requested. The only persistence is copying a screenshot into the skill's workspace directory (/root/.openclaw/workspace/skills/pinchtab/assets) if present — which is limited to the agent workspace, not global system config. The skill does perform network calls (localhost API and optional Telegram outbound requests) which is expected for its purpose.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install dexifried-pinchtab
安装完成后，直接呼叫该 Skill 的名称或使用 /dexifried-pinchtab 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Browser automation via HTTP API, screenshot decoding, Telegram integration. Includes base64 decoder scripts and workflow examples.

元数据

Slug dexifried-pinchtab

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题

PinchTab 是什么？

Browser automation via HTTP API. Use for headless browser control, web automation, form filling, data extraction, and interactive element interaction. Suppor... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 206 次。

如何安装 PinchTab？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install dexifried-pinchtab」即可一键安装，无需额外配置。

PinchTab 是免费的吗？

是的，PinchTab 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

PinchTab 支持哪些平台？

PinchTab 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 PinchTab？

由 dexifried（@dexifried）开发并维护，当前版本 v1.0.0。