← 返回 Skills 市场
3789
总下载
4
收藏
14
当前安装
1
版本数
在 OpenClaw 中安装
/install kesslerio-stealth-browser
功能描述
Anti-bot browser automation using Camoufox and Nodriver. Bypasses Cloudflare Turnstile, Datadome, and aggressive anti-bot on sites like Airbnb and Yelp. Use when standard Playwright/Selenium gets blocked.
使用说明 (SKILL.md)
Stealth Browser Skill 🥷
Anti-bot browser automation that bypasses Cloudflare Turnstile, Datadome, and aggressive fingerprinting.
When to Use
- Standard Playwright/Selenium gets blocked
- Site shows Cloudflare challenge or "checking your browser"
- Need to scrape Airbnb, Yelp, or similar protected sites
playwright-stealthisn't working anymore
Tool Selection
| Target Difficulty | Tool | When to Use |
|---|---|---|
| Browser | Camoufox | All protected sites - Cloudflare, Datadome, Yelp, Airbnb |
| API Only | curl_cffi | No browser needed, just TLS spoofing |
Quick Start
All scripts run in pybox distrobox for isolation.
⚠️ Use python3.14 explicitly - pybox may have multiple Python versions with different packages installed.
1. Setup (First Time)
# Install tools in pybox (use python3.14)
distrobox-enter pybox -- python3.14 -m pip install camoufox curl_cffi
# Camoufox browser downloads automatically on first run (~700MB Firefox fork)
2. Fetch a Protected Page
Browser (Camoufox):
distrobox-enter pybox -- python3.14 scripts/camoufox-fetch.py "https://example.com" --headless
API only (curl_cffi):
distrobox-enter pybox -- python3.14 scripts/curl-api.py "https://api.example.com/endpoint"
Architecture
┌─────────────────────────────────────────────────────────┐
│ OpenClaw Agent │
├─────────────────────────────────────────────────────────┤
│ distrobox-enter pybox -- python3.14 scripts/xxx.py │
├─────────────────────────────────────────────────────────┤
│ pybox Container │
│ ┌─────────────┐ ┌─────────────┐ │
│ │ Camoufox │ │ curl_cffi │ │
│ │ (Firefox) │ │ (TLS spoof)│ │
│ └─────────────┘ └─────────────┘ │
└─────────────────────────────────────────────────────────┘
Tool Details
Camoufox
- What: Custom Firefox build with C++ level stealth patches
- Pros: Best fingerprint evasion, passes Turnstile automatically
- Cons: ~700MB download, Firefox-based
- Best for: All protected sites - Cloudflare, Datadome, Yelp, Airbnb
curl_cffi
- What: Python HTTP client with browser TLS fingerprint spoofing
- Pros: No browser overhead, very fast
- Cons: No JS execution, API endpoints only
- Best for: Known API endpoints, mobile app reverse engineering
Critical: Proxy Requirements
Datacenter IPs (AWS, DigitalOcean) = INSTANT BLOCK on Airbnb/Yelp
You MUST use residential or mobile proxies:
# Example proxy config
proxy = "http://user:[email protected]:8080"
See references/proxy-setup.md for proxy configuration.
Behavioral Tips
Sites like Airbnb/Yelp use behavioral analysis. To avoid detection:
- Warm up: Don't hit target URL directly. Visit homepage first, scroll, click around.
- Mouse movements: Inject random mouse movements (Camoufox handles this).
- Timing: Add random delays (2-5s between actions), not fixed intervals.
- Session stickiness: Use same proxy IP for 10-30 min sessions, don't rotate every request.
Headless Mode Warning
⚠️ Old --headless flag is DETECTED. Options:
- New Headless: Use
headless="new"(Chrome 109+) - Xvfb: Run headed browser in virtual display
- Headed: Just run headed if you can (most reliable)
# Xvfb approach (Linux)
Xvfb :99 -screen 0 1920x1080x24 &
export DISPLAY=:99
python scripts/camoufox-fetch.py "https://example.com"
Troubleshooting
| Problem | Solution |
|---|---|
| "Access Denied" immediately | Use residential proxy |
| Cloudflare challenge loops | Try Camoufox instead of Nodriver |
| Browser crashes in pybox | Install missing deps: sudo dnf install gtk3 libXt |
| TLS fingerprint blocked | Use curl_cffi with impersonate="chrome120" |
| Turnstile checkbox appears | Add mouse movement, increase wait time |
ModuleNotFoundError: camoufox |
Use python3.14 not python or python3 |
greenlet segfault (exit 139) |
Python version mismatch - use python3.14 explicitly |
libstdc++.so.6 errors |
NixOS lib path issue - use python3.14 in pybox |
Python Version Issues (NixOS/pybox)
The pybox container may have multiple Python versions with separate site-packages:
# Check which Python has camoufox
distrobox-enter pybox -- python3.14 -c "import camoufox; print('OK')"
# Wrong (may use different Python)
distrobox-enter pybox -- python3.14 scripts/camoufox-session.py ...
# Correct (explicit version)
distrobox-enter pybox -- python3.14 scripts/camoufox-session.py ...
If you get segfaults or import errors, always use python3.14 explicitly.
Examples
Scrape Airbnb Listing
distrobox-enter pybox -- python3.14 scripts/camoufox-fetch.py \
"https://www.airbnb.com/rooms/12345" \
--headless --wait 10 \
--screenshot airbnb.png
Scrape Yelp Business
distrobox-enter pybox -- python3.14 scripts/camoufox-fetch.py \
"https://www.yelp.com/biz/some-restaurant" \
--headless --wait 8 \
--output yelp.html
API Scraping with TLS Spoofing
distrobox-enter pybox -- python3.14 scripts/curl-api.py \
"https://api.yelp.com/v3/businesses/search?term=coffee&location=SF" \
--headers '{"Authorization": "Bearer xxx"}'
Session Management
Persistent sessions allow reusing authenticated state across runs without re-logging in.
Quick Start
# 1. Login interactively (headed browser opens)
distrobox-enter pybox -- python3.14 scripts/camoufox-session.py \
--profile airbnb --login "https://www.airbnb.com/account-settings"
# Complete login in browser, then press Enter to save session
# 2. Reuse session in headless mode
distrobox-enter pybox -- python3.14 scripts/camoufox-session.py \
--profile airbnb --headless "https://www.airbnb.com/trips"
# 3. Check session status
distrobox-enter pybox -- python3.14 scripts/camoufox-session.py \
--profile airbnb --status "https://www.airbnb.com"
Flags
| Flag | Description |
|---|---|
--profile NAME |
Named profile for session storage (required) |
--login |
Interactive login mode - opens headed browser |
--headless |
Use saved session in headless mode |
--status |
Check if session appears valid |
--export-cookies FILE |
Export cookies to JSON for backup |
--import-cookies FILE |
Import cookies from JSON file |
Storage
- Location:
~/.stealth-browser/profiles/\x3Cname>/ - Permissions: Directory
700, files600 - Profile names: Letters, numbers,
_,-only (1-63 chars)
Cookie Handling
- Save: All cookies from all domains stored in browser profile
- Restore: Only cookies matching target URL domain are used
- SSO: If redirected to Google/auth domain, re-authenticate once and profile updates
Login Wall Detection
The script detects session expiry using multiple signals:
- HTTP status: 401, 403
- URL patterns:
/login,/signin,/auth - Title patterns: "login", "sign in", etc.
- Content keywords: "captcha", "verify", "authenticate"
- Form detection: Password input fields
If detected during --headless mode, you'll see:
🔒 Login wall signals: url-path, password-form
Re-run with --login to refresh the session.
Remote Login (SSH)
Since --login requires a visible browser, you need display forwarding:
X11 Forwarding (Preferred):
# Connect with X11 forwarding
ssh -X user@server
# Run login (opens browser on your local machine)
distrobox-enter pybox -- python3.14 scripts/camoufox-session.py \
--profile mysite --login "https://example.com"
VNC Alternative:
# On server: start VNC session
vncserver :1
# On client: connect to VNC
vncviewer server:1
# In VNC session: run login
distrobox-enter pybox -- python3.14 scripts/camoufox-session.py \
--profile mysite --login "https://example.com"
Security Notes
⚠️ Cookies are credentials. Treat profile directories like passwords:
- Profile dirs have
chmod 700(owner only) - Cookie exports have
chmod 600 - Don't share profiles or exported cookies over insecure channels
- Consider encrypting backups
Limitations
| Limitation | Reason |
|---|---|
| localStorage/sessionStorage not exported | Use browser profile instead (handles automatically) |
| IndexedDB not portable | Stored in browser profile, not cookie export |
| No parallel profile access | No file locking in v1; use one process per profile |
References
- references/proxy-setup.md — Proxy configuration guide
- references/fingerprint-checks.md — What anti-bot systems check
安全使用建议
This skill appears to implement what it claims (stealth browsing + TLS spoofing), but be cautious before installing:
- Verify Camoufox: camoufox.install() will download and install a large custom Firefox fork. Confirm the upstream source (PyPI package homepage or GitHub releases) and vet the binary before running it in your environment.
- Missing referenced files: README/SKILL examples mention nodriver-fetch.py but that file isn't bundled — ask the author or be prepared for mismatched docs.
- Sensitive local storage: the session manager saves cookies under ~/.stealth-browser/profiles (mode 700) and can import/export them. Treat these files as sensitive (they can contain session tokens). Don't import cookies from untrusted sources.
- Proxy credentials: the skill expects residential/mobile proxies; those credentials may be passed on the command line or in environment variables. Avoid exposing real credentials in logs or shared environments.
- Run isolated: execute this only in an isolated container or throwaway VM (distrobox/pybox as suggested helps) and inspect network activity during camoufox.install() and first runs.
- If you need higher assurance: request the upstream Camoufox source (URL/zip checksum), or ask the maintainer to provide signed releases or an authoritative homepage. Presence of a verifiable upstream (GitHub releases, reputable vendor) would raise confidence.
If you can't verify the Camoufox distribution or you're unwilling to risk third-party native binaries, do not install. If you proceed, restrict network access for the container where possible and audit downloaded files.
功能分析
Type: OpenClaw Skill
Name: kesslerio-stealth-browser
Version: 1.0.0
This skill is classified as suspicious due to its inherent high-risk capabilities, which include performing arbitrary network requests, writing arbitrary files (HTML, screenshots, cookies), and handling sensitive cookie data via scripts like `camoufox-fetch.py`, `camoufox-session.py`, and `curl-api.py`. Furthermore, the `scripts/setup.sh` file executes `sudo dnf install` commands within the `pybox` container, demonstrating the ability to run commands with elevated privileges. While these actions are plausibly necessary for the stated purpose of anti-bot web scraping, they present significant security risks without clear evidence of intentional malicious behavior like unauthorized data exfiltration or persistence.
能力评估
Purpose & Capability
The name/description (stealth browser to bypass anti-bot) align with the included scripts (camoufox-fetch, camoufox-session, curl-api) and the requirement for distrobox (pybox container). However documentation and examples reference 'Nodriver' and a scripts/nodriver-fetch.py that is not present in the bundle — that's an inconsistency that reduces confidence. The skill also expects to download and run a custom Firefox fork (Camoufox) which is coherent with the stated goal but introduces additional supply-chain trust requirements.
Instruction Scope
Runtime instructions are explicit about running distrobox-enter and invoking scripts with proxy arguments, exporting proxies, and creating persistent profiles under ~/.stealth-browser. They request/perform local file I/O (profile and cookie import/export) which is necessary for session reuse but means the skill will store sensitive session cookies locally. The instructions do not attempt to read unrelated system config or hidden credentials, but storing and importing cookies and operating with proxy credentials are sensitive operations and should be treated cautiously.
Install Mechanism
There is no registry 'install' spec; installation is driven by scripts/setup.sh and by instructions to pip install camoufox and curl_cffi and to call camoufox.install(), which will download a ~700MB custom Firefox build. That is a high-risk install action because a large native binary is fetched and extracted at runtime from upstream sources not declared in the skill metadata — assess and verify the upstream Camoufox distribution before use. The setup also runs package installs (dnf) inside the container which is expected, but still expands attack surface.
Credentials
The skill declares no required env vars, which matches the bundle. The documentation suggests setting HTTP_PROXY/HTTPS_PROXY or passing proxy credentials in URLs; those credentials are necessary for the stated goal (residential proxies). There is no request for unrelated cloud or system credentials. However, the skill handles cookies and sessions (saves to ~/.stealth-browser/profiles) — these files can contain sensitive auth tokens and should be protected and audited.
Persistence & Privilege
always:false and normal model invocation are used. The skill creates its own profile directory (~/.stealth-browser) and persists cookies, which is within its stated purpose and correctly uses restrictive file permissions in code (chmod 700/600). It does not request system-wide privileges or modify other skills' configs.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install kesslerio-stealth-browser - 安装完成后,直接呼叫该 Skill 的名称或使用
/kesslerio-stealth-browser触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release: Camoufox and curl_cffi for anti-bot bypass
元数据
常见问题
Stealth Browser 是什么?
Anti-bot browser automation using Camoufox and Nodriver. Bypasses Cloudflare Turnstile, Datadome, and aggressive anti-bot on sites like Airbnb and Yelp. Use when standard Playwright/Selenium gets blocked. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 3789 次。
如何安装 Stealth Browser?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install kesslerio-stealth-browser」即可一键安装,无需额外配置。
Stealth Browser 是免费的吗?
是的,Stealth Browser 完全免费(开源免费),可自由下载、安装和使用。
Stealth Browser 支持哪些平台?
Stealth Browser 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Stealth Browser?
由 kesslerio(@kesslerio)开发并维护,当前版本 v1.0.0。
推荐 Skills