← 返回 Skills 市场
Vanzhangsh Skills
作者
vanzhangsh
· GitHub ↗
· v1.0.0
402
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install vanzhangsh-skills
功能描述
A fast Rust-based headless browser automation CLI with Node.js fallback that enables AI agents to navigate, click, type, and snapshot pages via structured co...
安全使用建议
This skill's instructions appear to wrap a legitimate browser automation CLI, but provenance is unclear and some metadata (skill name, owner IDs, and _meta.json) don't line up with the documented CLI. Before installing or running any recommended npm or git commands: 1) Verify the npm package and GitHub repository (owner, npm package page, versions, downloads, and maintainers). 2) Inspect the package contents and package.json (look for postinstall scripts). 3) Prefer installing in a sandbox/container or non-root account, not globally on production hosts. 4) If you need stronger assurance, clone the upstream repo yourself, review source code and build artifacts, and only run locally-built binaries. 5) If you cannot verify origin or content, treat it as untrusted — do not run global npm installs or give it access to sensitive files/credentials. If you want, I can fetch and summarize the npm package page and GitHub repo (if you provide a URL) or help formulate commands to inspect the package safely.
功能分析
Type: OpenClaw Skill
Name: vanzhangsh-skills
Version: 1.0.0
The skill is classified as suspicious due to the broad `allowed-tools: Bash(agent-browser:*)` permission in `SKILL.md`, which grants the AI agent full control over the powerful `agent-browser` CLI. This tool exposes high-risk capabilities such as arbitrary JavaScript execution (`agent-browser eval`), direct access to browser cookies and local storage (`agent-browser cookies`, `agent-browser storage`), and the ability to save the entire browser session state to a local file (`agent-browser state save auth.json`). While these are legitimate features for browser automation, their unrestricted exposure makes the agent highly vulnerable to prompt injection, allowing an attacker to instruct the agent to exfiltrate sensitive browser data, execute arbitrary code within the browser context, or perform unauthorized actions.
能力评估
Purpose & Capability
The SKILL.md documents an 'agent-browser' CLI for automating web pages; required binaries (node, npm) match that purpose. However the skill registry name ('Vanzhangsh Skills') and registry metadata do not match the SKILL.md/_meta.json content (which references 'agent-browser'), and the skill lists no homepage/source in registry metadata — an incoherence in provenance.
Instruction Scope
Instructions are scoped to browser automation tasks (navigate, snapshot, click, fill, screenshot, record, cookies/storage access, file upload). These actions fit the described purpose. The SKILL.md also tells the agent to install/run a third‑party CLI (npm install -g agent-browser, git clone ...), which is expected for this skill type but increases risk because those installers can execute arbitrary postinstall scripts and the CLI itself can access web pages, cookies, storage, and local files.
Install Mechanism
The skill is instruction-only and has no install spec, but the instructions recommend installing a global npm package and cloning a GitHub repo. Because the registry metadata lacks a homepage/source and the skill does not bundle or vet the referenced package, installing would pull third‑party code at runtime — this is proportionally riskier than an instruction-only skill that uses already-trusted system binaries.
Credentials
The skill declares no environment variables, credentials, or config paths. The runtime commands reference browser cookies/storage and optional file uploads (expected for a browser automation tool) but do not require unrelated credentials in the manifest.
Persistence & Privilege
always is false and the skill requests no system-wide configuration or cross-skill credential access. Autonomous invocation is allowed (platform default) and is not itself a red flag here.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install vanzhangsh-skills - 安装完成后,直接呼叫该 Skill 的名称或使用
/vanzhangsh-skills触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of Agent Browser CLI for AI-powered web automation.
- Fast, Rust-based headless browser with Node.js fallback.
- Provides structured CLI commands for navigation, clicking, typing, snapshots, form filling, UI testing, and data extraction.
- Supports advanced workflows: state management, video recording, screenshots, network control, cookies/storage, and semantic element selectors.
- Designed for automation, accessibility tree extraction, and robust web testing use cases.
元数据
常见问题
Vanzhangsh Skills 是什么?
A fast Rust-based headless browser automation CLI with Node.js fallback that enables AI agents to navigate, click, type, and snapshot pages via structured co... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 402 次。
如何安装 Vanzhangsh Skills?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install vanzhangsh-skills」即可一键安装,无需额外配置。
Vanzhangsh Skills 是免费的吗?
是的,Vanzhangsh Skills 完全免费(开源免费),可自由下载、安装和使用。
Vanzhangsh Skills 支持哪些平台?
Vanzhangsh Skills 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Vanzhangsh Skills?
由 vanzhangsh(@vanzhangsh)开发并维护,当前版本 v1.0.0。
推荐 Skills