← 返回 Skills 市场
Riddle
作者
davisdiehl
· GitHub ↗
· v1.1.0
1486
总下载
1
收藏
1
当前安装
2
版本数
在 OpenClaw 中安装
/install riddle
功能描述
Hosted browser automation API for agents. Screenshots, Playwright scripts, workflows — no local Chrome needed.
安全使用建议
Before installing: 1) Note the inconsistency: registry metadata lists no required credentials but the instructions require you to set a RIDDLE_API_KEY in OpenClaw config — confirm where the key is stored and how it is used. 2) Do not add the plugin to plugins.allow or edit ~/.openclaw/openclaw.json until you have inspected the plugin package (npm @riddledc/openclaw-riddledc) or its GitHub repo and verified checksums/CODE. 3) Understand privacy risks: sending cookies/localStorage/headers to a third-party browser service will expose session tokens and possibly PII — only do this with throwaway or explicitly consented credentials. 4) Verify the network allowlist and claims (api.riddledc.com only, no access to conversation history) by reviewing the plugin source and runtime policies; prose claims in SKILL.md are not proof. 5) If data sensitivity is high, prefer running Playwright locally or on an environment you control, or use ephemeral credentials and minimal scopes. 6) If you proceed, test with minimal, non-sensitive examples first and confirm the package's provenance (npm publisher, GitHub repo, CHECKSUMS.txt/SECURITY.md) and contact [email protected] with any questions.
功能分析
Type: OpenClaw Skill
Name: riddle
Version: 1.1.0
The skill bundle is classified as benign. The `SKILL.md` provides clear instructions for installing and configuring a browser automation plugin, including setting an API key and modifying the OpenClaw configuration file (`~/.openclaw/openclaw.json`) using `jq` to add the plugin to an allow list. While direct file modification and external plugin installation (`@riddledc/openclaw-riddledc`) are present, they are explicitly explained as necessary for the plugin's functionality. Crucially, the `SKILL.md` includes a 'Trust & Security' section that declares strict boundaries for the plugin, such as network access limited to `api.riddledc.com`, filesystem writes restricted to `~/.openclaw/workspace/riddle/`, and zero access to agent context or other secrets. There is no evidence of prompt injection attempts, data exfiltration instructions, or other malicious intent within the provided files.
能力评估
Purpose & Capability
The skill name/description (hosted browser API) matches the actions described (screenshots, Playwright scripts, workflows). However, the registry metadata lists no required environment variables or primary credential, while SKILL.md explicitly instructs you to obtain and configure a RIDDLE_API_KEY in OpenClaw config — this is an internal inconsistency. The install step (openclaw plugins install @riddledc/openclaw-riddledc) is consistent with a node plugin for this purpose.
Instruction Scope
SKILL.md tells the user/agent to install a plugin, add it to plugins.allow (editing ~/.openclaw/openclaw.json), restart the gateway, and configure an API key. It also documents passing cookies, localStorage, or custom headers to Riddle to access authenticated pages — a legitimate feature but one that enables sending session tokens and other sensitive data to an external service. The document claims the plugin cannot read conversation history or send the API key elsewhere, but those are claims in prose and cannot be verified from this instruction-only skill.
Install Mechanism
The SKILL.md points to installing a node plugin (@riddledc/openclaw-riddledc) via the OpenClaw CLI (npm-backed). Pulling a plugin from npm/GitHub is a common install path, but the registry metadata lists Source: unknown and no package/code is included in the skill bundle to audit. That makes the install a moderate risk until you verify the actual package contents, provenance, and checksums referenced in the README.
Credentials
The metadata declares no required env vars or primary credential, yet the instructions require a RIDDLE_API_KEY to be stored in OpenClaw config. SKILL.md also explains how to forward cookies/localStorage and custom headers to Riddle; these are legitimate for accessing private pages but are high-risk operations because they can expose session tokens, SSO cookies, or other secrets to the third-party service. The declared policy that only RIDDLE_API_KEY is needed (and only sent to api.riddledc.com) is a claim but not enforced by anything in this package.
Persistence & Privilege
The skill does not request always: true and is user-invocable (normal). However, installation requires adding the plugin to the global plugins.allow list and restarting the gateway (editing ~/.openclaw/openclaw.json), which modifies global agent configuration and makes the plugin available to future agent runs. That configuration change is expected for plugins but increases the blast radius if the plugin behaves maliciously; treat it as a permission grant that should be reviewed first.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install riddle - 安装完成后,直接呼叫该 Skill 的名称或使用
/riddle触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.1.0
Add quick start, pricing, and reference links
v1.0.0
Initial release — hosted browser automation API for AI agents. Screenshots, Playwright scripts, multi-step workflows. No local Chrome needed.
元数据
常见问题
Riddle 是什么?
Hosted browser automation API for agents. Screenshots, Playwright scripts, workflows — no local Chrome needed. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1486 次。
如何安装 Riddle?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install riddle」即可一键安装,无需额外配置。
Riddle 是免费的吗?
是的,Riddle 完全免费(开源免费),可自由下载、安装和使用。
Riddle 支持哪些平台?
Riddle 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Riddle?
由 davisdiehl(@davisdiehl)开发并维护,当前版本 v1.1.0。
推荐 Skills