← 返回 Skills 市场
89
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install termux-zero-token
功能描述
在 Termux 上利用手機 Chrome 已登入的 cookies 免費調用 DeepSeek、Kimi、Qwen、GLM 等多款 AI 模型。
安全使用建议
This skill does what it claims (uses ADB/Chrome remote debugging to steal cookies from your phone and reuse them to call AI services), but that capability is sensitive and risky. Before installing or running it, consider: 1) Only use on a device/account you fully control and that has no payment or sensitive data; these cookies can allow account takeover. 2) Review the code yourself (or have a trusted reviewer) — it saves cookies unencrypted to ~/.openclaw/zero-token/credentials.json for 7 days. 3) Running npm install will fetch playwright-core and its dependencies; be prepared for large installs and platform dependencies. 4) This approach likely violates the providers' terms of service and could lead to account suspension. 5) If you still want to try it, run it in an isolated environment (throwaway account / VM), remove stored credentials after use, and monitor network activity. 6) If you need legitimate API access, prefer official API keys or provider-approved SDKs rather than extracting browser sessions. Finally, given the sensitive nature of what it does, treat this skill as high-risk and avoid using it on primary or shared accounts.
功能分析
Type: OpenClaw Skill
Name: termux-zero-token
Version: 1.0.0
The skill bundle automates the extraction of sensitive session cookies from a phone's Chrome browser via ADB and Chrome DevTools Protocol (CDP) to bypass AI provider API limits. While the code in src/index.ts and the provider scripts (e.g., src/providers/deepseek-stream.ts) appears to use these credentials locally to communicate with official AI endpoints like api.deepseek.com and api.moonshot.cn, the practice of scraping and storing raw session cookies in ~/.openclaw/zero-token/credentials.json is high-risk. Although no evidence of exfiltration to a third party was found, the tool's core functionality relies on bypassing security boundaries and Terms of Service, which is inherently risky behavior.
能力评估
Purpose & Capability
The name/description claim to use a phone Chrome session to call DeepSeek/Kimi/Qwen/GLM without API keys; the source files implement exactly that: connecting to Chrome CDP over localhost:9222 via Playwright, reading cookies for provider domains, and calling provider endpoints with those cookies or extracted tokens. Saving credentials to ~/.openclaw/zero-token/credentials.json is consistent with the stated goal. The Playwright dependency is logically required for CDP access.
Instruction Scope
SKILL.md explicitly instructs the user to enable ADB forwarding and Chrome remote debugging, then 'import credentials' (i.e., capture cookies/session). The code captures cookies for provider domains and saves them locally. Capturing browser cookies is intrinsically high-risk: these are sensitive session credentials that can grant account access. The instructions and code also encourage enabling remote debugging on a phone (broad access to the device's browser session). While scoped to listed providers' domains, the runtime has access to the phone's browser via CDP and could be extended to capture other data. The SKILL.md also triggered a prompt-injection scanner finding (system-prompt-override) — the file references 'systemPrompt' in examples; this is likely benign in context but worth noting.
Install Mechanism
There is no explicit install specification (instruction-only style), but package.json declares a dependency on 'playwright-core'. Playwright can be large and may pull in native artifacts or require additional platform-specific setup. No remote downloads from unknown URLs are present in the skill bundle itself. Because there's no install spec in the skill metadata, installing/running this code will require npm install which will fetch packages from the public registry — normal but non-trivial.
Credentials
The skill requests no declared environment variables, but it requires ADB access to a user's phone and direct access to mobile Chrome sessions. It persists cookies and optional userAgent into an unencrypted file (~/.openclaw/zero-token/credentials.json) for 7 days. Storing session cookies is equivalent to storing account credentials and is disproportionate in sensitivity even if logically needed to achieve the stated feature. There are no additional external secret requirements, and the provider cookieDomains restrict what it collects, but that still grants full session-level access to those accounts.
Persistence & Privilege
The skill writes persistent credentials to the user's home directory under ~/.openclaw/zero-token and sets an expiresAt timestamp (7 days). always is false (no unconditional inclusion). The skill does not modify other skills or global agent config. Allowing autonomous invocation is the platform default; combined with persistent sensitive data it increases blast radius if the agent uses the stored cookies without user confirmation.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install termux-zero-token - 安装完成后,直接呼叫该 Skill 的名称或使用
/termux-zero-token触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
termux-zero-token 1.0.0
- 全新發佈:在 Android Termux 上使用手機 Chrome 的已登入帳戶,無需 API Key 免費調用 DeepSeek、Kimi、Qwen、GLM 等 AI 模型
- 支援多家 AI 服務商及多種模型,完全免費,利用瀏覽器 cookies 模擬登錄
- 一鍵提取 credentials,自動連接手機 Chrome(需開啟 adb port forwarding)
- 詳細引導安裝、使用、技術原理與商業模式
- 說明限制:cookies 需定期更新,僅供個人用途,不保證長期有效
元数据
常见问题
Termux Zero Token 是什么?
在 Termux 上利用手機 Chrome 已登入的 cookies 免費調用 DeepSeek、Kimi、Qwen、GLM 等多款 AI 模型。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 89 次。
如何安装 Termux Zero Token?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install termux-zero-token」即可一键安装,无需额外配置。
Termux Zero Token 是免费的吗?
是的,Termux Zero Token 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Termux Zero Token 支持哪些平台?
Termux Zero Token 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Termux Zero Token?
由 t9530638(@t9530638)开发并维护,当前版本 v1.0.0。
推荐 Skills