← 返回 Skills 市场
97
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install xiaopi-agent-browser
功能描述
A fast Rust-based headless browser automation CLI with Node.js fallback that enables AI agents to navigate, click, type, and snapshot pages via structured co...
安全使用建议
This skill is plausibly a useful browser-automation wrapper, but there are red flags around provenance and install instructions. Before installing or allowing the agent to run it autonomously: 1) Verify the npm package name 'agent-browser' and inspect the package on the npm registry for publisher, version, and install scripts; 2) Confirm the upstream repository (the SKILL.md references github.com/vercel-labs/agent-browser) — check the repo owner, tags, and source code; 3) Resolve metadata mismatches (ownerId/slug/version differences between registry metadata and _meta.json) with the publisher; 4) If you must test, install and run it in a sandbox or isolated VM/container and avoid global npm installs on production hosts; 5) Limit the agent's access to local files and outgoing network when first enabling the skill. If you cannot verify the upstream package and author, treat the skill as untrusted.
功能分析
Type: OpenClaw Skill
Name: xiaopi-agent-browser
Version: 1.0.0
The skill provides a comprehensive wrapper for the `agent-browser` CLI, enabling full headless browser control. It includes high-risk capabilities such as executing arbitrary JavaScript (`eval`), accessing and saving session state including cookies (`state save`, `cookies`), and intercepting network traffic (`network route`). While these features are aligned with the stated purpose of web automation and testing, they represent a significant attack surface for potential data exfiltration or session hijacking. The skill documentation in `SKILL.md` correctly reflects the capabilities of the legitimate upstream tool (https://github.com/vercel-labs/agent-browser), but the inherent power of the tool meets the criteria for a suspicious classification.
能力评估
Purpose & Capability
The SKILL.md describes a Rust-based CLI with a Node.js fallback and shows npm-based installation instructions. The registry metadata requires node and npm as binaries, yet a Rust binary would not normally require npm. The SKILL.md also documents building from source (git + pnpm) but the skill's declared required binaries do not include git or pnpm. Additionally, the skill registry entry (slug/version/owner) does not match the _meta.json contents (different ownerId, slug, and version), and the package has no declared homepage or source URL in the registry — these inconsistencies suggest packaging/copying or provenance issues.
Instruction Scope
The runtime instructions are narrowly focused on browser automation commands (navigate, snapshot, click, fill, upload, screenshot, etc.), which aligns with the described purpose. The document includes commands that can access pages, cookies/storage, and upload local files — expected for a browser automation tool but potentially capable of exposing sensitive local data if misused. The SKILL.md does not instruct reading unrelated system files or environment variables.
Install Mechanism
There is no formal install spec in the skill bundle (instruction-only), but SKILL.md recommends npm global installation (npm install -g agent-browser) and provides a from-source path requiring git and pnpm. Running npm install -g executes package install scripts from the npm registry, which can run arbitrary code on the host. Because the registry metadata has no source/homepage and the skill manifest mismatches the included _meta.json, it's unclear whether the npm package name and upstream repository are trustworthy. The absence of declared git/pnpm in required binaries is another mismatch.
Credentials
The skill declares no required environment variables or credentials, and SKILL.md does not request secrets. That is proportionate for a browser automation CLI. However, the tool's capabilities (navigation, cookies, file upload) mean an installed CLI could access local files and network endpoints, so installation should be treated with the same caution as installing any third-party CLI.
Persistence & Privilege
The skill does not request always:true and uses default agent invocation settings. It is instruction-only and does not include code that would be written to disk by the platform. Autonomous invocation is allowed (platform default) — combine that with the install concerns above when deciding whether to permit autonomous runs.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install xiaopi-agent-browser - 安装完成后,直接呼叫该 Skill 的名称或使用
/xiaopi-agent-browser触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of agent-browser: a fast Rust-based CLI for browser automation.
- Enables AI agents to navigate, interact, and extract data from web pages via structured commands.
- Supports navigation, clicking, typing, form filling, screenshots, PDFs, video recording, and state management.
- Offers both element ref and semantic locator-based interactions.
- Provides commands for cookies, storage, network control, tabs/windows, frames, dialogs, and custom JavaScript.
- Includes detailed CLI usage and workflow examples for quick start.
- Node.js fallback included for broad compatibility.
元数据
常见问题
Xiaopi Agent Browser 是什么?
A fast Rust-based headless browser automation CLI with Node.js fallback that enables AI agents to navigate, click, type, and snapshot pages via structured co... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 97 次。
如何安装 Xiaopi Agent Browser?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install xiaopi-agent-browser」即可一键安装,无需额外配置。
Xiaopi Agent Browser 是免费的吗?
是的,Xiaopi Agent Browser 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Xiaopi Agent Browser 支持哪些平台?
Xiaopi Agent Browser 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Xiaopi Agent Browser?
由 Adin(@a-din)开发并维护,当前版本 v1.0.0。
推荐 Skills