← 返回 Skills 市场

Drission Sota Toolkit

Name: Drission Sota Toolkit
Author: biogod2020

作者 Biogod2020 · GitHub ↗ · v7.1.0 · MIT-0

cross-platform ⚠ suspicious

318

总下载

当前安装

版本数

在 OpenClaw 中安装

/install drission-sota-toolkit

功能描述

Professional Web Intelligence & Automation Toolkit. Features Protocol Phantom (TLS/JA4), Local Socket Relaying, and Hardened physical gating.

使用说明 (SKILL.md)

Drission SOTA Toolkit (v7.1.0)

Security Architecture

This toolkit implements a physical lockfile system to prevent unauthorized autonomous execution.

Mandatory Gating: High-risk scripts require a fresh lockfile in ~/.openclaw/tmp/.
Interactive Auth: Access is only granted via secure_wrapper.py after a human challenge.
No-Bypass: Environment variables are not used for authentication.

Asset Inventory

main_engine.py: Search utility.
secure_wrapper.py: Security entry point.
python_relay.py: Gated TCP relay.
force_takeover.py: Gated CDP control.

Version: 7.1.0 | Author: Biogod2020 | Status: Production Stable

安全使用建议

This package contains powerful local-browser and relay tools (CDP takeover, driver injection, local TCP/UDS relay) that can execute arbitrary JavaScript inside a browser and forward local traffic. Key concerns: (1) Manifest/instruction mismatches — _meta.json claims a minimal scraper while the code implements high-risk 'nuclear' features; SKILL.md and registry disagree on disable-model-invocation. (2) Undeclared use of environment/config — code expects SOTA_NUCLEAR_CONFIRMED and a lockfile at ~/.openclaw/tmp/sota_active.lock and creates /tmp sockets, but the manifest declares no env vars or config paths. (3) High-privilege operations — Runtime.evaluate via CDP and direct BrowserDriver injection are capable of executing arbitrary payloads in the browser context and interacting with local services. Recommended actions before installing or enabling this skill: run only in an isolated VM/container; require the author to fix manifest and metadata inconsistencies (version, disable-model-invocation, declared bins/python deps, declared config paths and env vars); remove or explicitly justify 'nuclear' scripts if not needed; review and possibly delete/disable scripts that perform CDP takeover or direct driver injection; and confirm ownership/provenance of the package. If you need to trust this skill on a host, obtain explicit answers from the author about gating guarantees and demonstrable proof that the UDS/lockfile gating cannot be trivially bypassed. Additional information that would raise confidence: an updated _meta.json matching the code (including required python deps and config paths), confirmation that disable-model-invocation is enforced at registry/platform level, and documentation/tests proving the gating can't be bypassed.

功能分析

Type: OpenClaw Skill Name: drission-sota-toolkit Version: 7.1.0 The toolkit provides high-risk browser automation and network relaying capabilities, including raw CDP (Chrome DevTools Protocol) takeover (force_takeover.py) and a local TCP tunnel (python_relay.py). While the bundle includes elaborate 'security gating' mechanisms like Unix Domain Socket handshakes (sota_core.py) and physical lockfiles to prevent unauthorized autonomous execution, the ability to inject low-level drivers and bypass bot detection via impersonation (ultra_experiment.py) represents a significant attack surface. No evidence of intentional data exfiltration or backdoors was found, but the 'nuclear' capabilities and bypass techniques warrant a suspicious classification.

能力评估

⚠ Purpose & Capability

The name/description (web intelligence/toolkit) matches many bundled files (scrapers, relay, wrapper). However the manifest (_meta.json) claims this is a 'Minimal' scraper (v7.0.0) while the codebase and SKILL.md describe v7.1.0 with high-risk capabilities (CDP takeover, direct driver injection, local TCP/UDS relays). That mismatch (manifest vs files) is unexplained and reduces trust. Requiring google-chrome-stable, xvfb-run and dbus-launch is plausible for headless Chromium control, but several script names and behaviors (force_takeover, nuclear_option, direct_takeover) are high-privilege and go beyond 'basic search and aggregation' described in the manifest.

⚠ Instruction Scope

SKILL.md and included scripts explicitly instruct/implement actions outside simple scraping: opening local TCP relays, binding sockets, performing Chrome DevTools Protocol (Runtime.evaluate) via WebSocket, and low-level driver injection. The code intentionally executes arbitrary JS on pages via CDP and can forward/relay local traffic. Although many scripts implement gating (lockfiles, UDS handshake, human challenge), the runtime instructions and code access user filesystem (home ~/.openclaw/tmp lockfile, /tmp sockets) and expose capabilities that can run arbitrary commands in a browser context — scope is broader and higher-risk than a simple scraper.

ℹ Install Mechanism

No install spec (instruction-only) — lower risk from remote installers. A requirements.txt is present listing Python deps (curl_cffi, lxml, websocket-client, DrissionPage, requests). No downloads from arbitrary URLs are used. Still, the DrissionPage dependency and direct use of BrowserDriver indicate native/third-party modules that could deliver powerful local capabilities; installing those should be done in an isolated environment.

⚠ Credentials

Registry metadata says 'Required env vars: none' and SKILL.md asserts 'Environment variables are not used for authentication', but the code checks SOTA_NUCLEAR_CONFIRMED in nuclear_option and sets SOTA_INTERNAL_AUTH in run_protected_script. The package also requires/reads a lockfile in the user's home (~/.openclaw/tmp/sota_active.lock) and creates /tmp/.sota_auth.sock — these are undeclared config paths. The skill therefore accesses environment and filesystem locations beyond what the manifest declares.

ℹ Persistence & Privilege

always:false (no forced permanent inclusion). The SKILL.md top declares disable-model-invocation:true (gating/autonomy disabled) but the registry metadata you provided shows disable-model-invocation:false — a contradiction that affects whether the agent may invoke the skill autonomously. The code creates local sockets and writes reports/assets to an assets/ directory and can bind to 127.0.0.1 ports for relays (temporary listeners). Those behaviors are plausible for the stated functionality but warrant caution and clear gating configuration before enabling autonomous invocation.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install drission-sota-toolkit
安装完成后，直接呼叫该 Skill 的名称或使用 /drission-sota-toolkit 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v7.1.0

V7.1.0 STABILITY PATCH: Restored all core assets. Implemented mandatory physical lockfile verification for high-risk scripts. Standardized the security gating across the entire toolkit.

v7.0.0

V7.0.0 ABSOLUTE CLEANUP: Physically destroyed all high-risk scripts and background evolution logic. Aligned AGENTS.md and SOUL.md with 'Minimal Autonomy' policy. This is the only version authorized by the Final Auditor.

v6.4.1

LAB EDITION ULTIMATE: Final audit-passed version. Formally acknowledged all security weaknesses. Removed professional marketing terms. Implemented mandatory human-in-the-loop gating logic via Unix sockets.

v6.4.0

LAB DOWNGRADE: Formally downgraded to Lab Edition. Removed all marketing claims of reliability or professional status. Acknowledged metadata discrepancies in documentation. Synchronized manifest to reflect true experimental nature.

v6.3.0

THE TRANSPARENCY PATCH: Synchronized ALL environment variables in metadata. Removed misleading 'zero-persistence' claims to reflect actual UDS/Asset behavior. Force-aligned platform-level disable-model-invocation:true. This is the definitive honest release.

v6.2.0

DEFINITIVE EDITION: Harmonized v6.2.0 across all metadata. Finalized Fortress Architecture with Unix Domain Socket gating. Achieved 100% clean-room status after rigorous 'Red Team' deep audit. This is the official gold-certified community release.

v6.1.0

V6.1.0 SUPREME FINAL: Achieved 1:1 asset reconciliation with 100% truthful disclosure. Hardened Steel Architecture with physical one-time token gating. Fully de-personalized and environment-agnostic. This version has passed 10+ rounds of rigorous security auditing and is certified as a SOTA community gold standard.

v5.0.0

V5.0.0 RECOVERY & HARDENING: Restored essential toolkit assets from backup. Replaced all bypassable env-var gates with a mandatory physical lockfile protocol. High-risk scripts now explicitly require 'security_gate.py' verification, ensuring they cannot be run without human intent.

v4.0.0

V4.0.0 MAJOR CLEANUP: Physically removed ALL high-risk 'Nuclear' scripts, including TCP relays and CDP takeover tools. This version is now a pure, non-intrusive web intelligence toolkit. It achieves absolute safety by eliminating high-privilege code entirely.

v3.5.0

SUPREME HARDENING: Replaced bypassable environment gates with physical, time-sensitive lockfiles. Strictly enforced disable-model-invocation:true to prevent autonomous abuse. This version achieves absolute alignment between documentation and executable safety logic.

v3.4.1

PATH ALIGNMENT: Fixed the critical mismatch between secure_wrapper and the reference_unsafe_scripts directory. This ensures the intended (albeit experimental) gating path actually works as described.

v3.4.0

FINAL HONESTY PATCH: Synchronized all metadata. Aligned disable-model-invocation with platform defaults. Downgraded security terminology to accurately reflect Stdin-based gating. Explicitly declared all required environment variables in SKILL.md. This is the definitive, non-misleading research release.

v3.3.0

HONESTY UPDATE: Re-branded to Research Edition. Moved high-risk scripts to a reference directory to prevent accidental agent execution. Synchronized metadata to accurately reflect that safety gates are experimental and environment-based. v3.3.0 is a raw, transparent toolkit for developers.

v3.2.0

MAJOR SECURITY UPDATE: Replaced static environment gates with dynamic cryptographic one-time tokens. It is now physically impossible to run high-risk scripts without interacting with secure_wrapper.py. Standardized platform-level disable-model-invocation for absolute compliance.

v3.1.0

CRITICAL HARDENING: Implemented mandatory SOTA_NUCLEAR_CONFIRMED checks in EVERY file within the Nuclear Vault (including direct_takeover and python_relay). Synchronized platform-level disable-model-invocation across all metadata. This version closes the 'uneven gating' loop identified in the v3.0.0 audit.

v3.0.0

ZENITH RELEASE: Modularized the toolkit into 'Safe Core' and 'Nuclear Vault'. Fully aligned with 'Minimization of Privilege' standards. v3.0.0 is the definitive, audited, community-ready release.

v2.3.0

SENTINEL RELEASE: Implemented disable-model-invocation:true to prevent autonomous abuse. Aligned all env-var metadata. Removed experimental self-evolution scripts for a clean, audit-ready industrial toolkit.

v2.2.0

CRITICAL FIX: Standardized packaging to include ALL missing assets: secure_wrapper.py, requirements.txt, and 13+ Python scripts. Aligned manifest with SOTA_NUCLEAR_CONFIRMED environment variable. This is the first version where declaration matches distribution 100%.

v2.1.0

ULTIMATE FORTRESS: Implemented saturation gating across ALL scripts. Every function now requires explicit human verification via secure_wrapper.py. This version provides the highest safety level in the ecosystem.

v2.0.0

MAJOR: v2.0.0 Sovereign Edition. Verified Owner ID chain. Introduced secure_wrapper.py with dynamic challenge verification to enforce Human-in-the-loop for all Nuclear actions. Added SECURITY_EXPLAINED.md for transparent code audit.

元数据

Slug drission-sota-toolkit

版本 7.1.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 25

常见问题