← 返回 Skills 市场
149
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install xiaopi-chrome-devtools
功能描述
Uses Chrome DevTools via MCP for efficient debugging, troubleshooting and browser automation. Use when debugging web pages, automating browser interactions,...
安全使用建议
This skill appears to do what it says (drive Chrome via MCP) but has a few red flags you should weigh before installing:
- It runs `npx chrome-devtools-mcp@latest` at runtime. That fetches and executes the latest code from npm each time — prefer pinned, reviewed package versions and inspect the package source before running.
- It launches Chrome with sandboxing disabled (`--no-sandbox`, `--disable-setuid-sandbox`), which weakens process isolation. Run this only in an isolated environment (container, VM) you control.
- It uses a 'persistent Chrome profile', which can grant access to cookies, sessions, history, and other sensitive browser data. Confirm whether the skill will use an isolated profile or your default profile.
- Owner/metadata mismatch: the top-level registry ownerId differs from _meta.json ownerId; that can indicate repackaging or inconsistent metadata — verify the publisher identity and source repository.
Recommendations before installing:
- Ask the publisher for the package repository and a pinned version (not `@latest`) and review the package contents.
- Run the skill in an isolated environment (temporary Chrome profile, container/VM) rather than on a machine with sensitive browser data.
- Prefer a release hosted on a known repository or pinned to a specific commit/release.
- If you cannot validate the npm package or publisher, do not install on hosts with sensitive data or credentials.
功能分析
Type: OpenClaw Skill
Name: xiaopi-chrome-devtools
Version: 1.0.0
The skill configuration in skill.json disables the Chrome security sandbox using the --no-sandbox and --disable-setuid-sandbox flags, which is a significant security vulnerability. Additionally, it uses npx chrome-devtools-mcp@latest to execute unpinned remote code, introducing a supply chain risk. While these patterns are sometimes used in specific automation environments, they represent high-risk behaviors according to security best practices.
能力评估
Purpose & Capability
The SKILL.md describes using chrome-devtools-mcp to control Chrome and skill.json invokes `npx chrome-devtools-mcp@latest` with Chrome args. The requested capabilities align with the stated purpose of browser debugging/automation.
Instruction Scope
Instructions reference a 'persistent Chrome profile' (which can expose cookies, history, local storage) and recommend writing large outputs to file paths. The SKILL.md does not request credentials, but operating on a persistent profile means the tool may access sensitive browser data. The runtime guidance to use filePath for large outputs implies the agent will write/read files from disk.
Install Mechanism
skill.json executes `npx -y chrome-devtools-mcp@latest`, which downloads and runs the latest package from the npm registry at runtime. Running dynamically fetched code is a moderate-to-high risk compared with a pinned, reviewed release. Additionally, the provided Chrome args include `--no-sandbox` and `--disable-setuid-sandbox`, which reduce process isolation and increase attack surface.
Credentials
The skill declares no required environment variables or external credentials (good). However, the use of a persistent Chrome profile effectively grants the skill access to browser-stored secrets (cookies, sessions), which is not reflected in the declared requirements and should be considered sensitive.
Persistence & Privilege
The skill does not request always: true and is user-invocable (normal). It will execute remote code via npx and may write package artifacts and profile data to disk; autonomous invocation is allowed by default, which increases blast radius when combined with npx/@latest and sandbox disablement.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install xiaopi-chrome-devtools - 安装完成后,直接呼叫该 Skill 的名称或使用
/xiaopi-chrome-devtools触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
chrome-devtools 1.0.0 initial release
- Introduces integration with Chrome DevTools via MCP for browser debugging, troubleshooting, and automation.
- Supports persistent Chrome profiles and configurable browser lifecycle via CLI arguments.
- Enables page selection, structured element interaction using unique uids, and efficient data retrieval options.
- Documents recommended workflow for navigation, waiting, snapshotting, and element interaction.
- Highlights parallel tool call support and troubleshooting resources for setup and UI issues.
元数据
常见问题
Xiaopi Chrome Devtools 是什么?
Uses Chrome DevTools via MCP for efficient debugging, troubleshooting and browser automation. Use when debugging web pages, automating browser interactions,... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 149 次。
如何安装 Xiaopi Chrome Devtools?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install xiaopi-chrome-devtools」即可一键安装,无需额外配置。
Xiaopi Chrome Devtools 是免费的吗?
是的,Xiaopi Chrome Devtools 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Xiaopi Chrome Devtools 支持哪些平台?
Xiaopi Chrome Devtools 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Xiaopi Chrome Devtools?
由 Adin(@a-din)开发并维护,当前版本 v1.0.0。
推荐 Skills