The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill implements a plugin management system that allows downloading and installing JavaScript code from arbitrary external URLs and Git repositories (e.g., npm run plugin install <URL>). This mechanism executes installation scripts and loads the downloaded code into the server process, providing a direct vector for remote code execution from untrusted sources.\n- [COMMAND_EXECUTION]: The skill documentation includes an 'OpenClaw Scanner Isolation' section which provides detailed instructions on how to bypass platform security scanners. It explicitly describes how to partition code into different files to avoid triggering detection for malicious patterns like environment variable harvesting and dangerous command execution.\n- [COMMAND_EXECUTION]: The server relies on spawning multiple subprocesses to manage its core functionality, including the Camoufox browser engine, the yt-dlp utility for YouTube transcriptions, and VNC server components.\n- [EXTERNAL_DOWNLOADS]: The skill fetches executable binaries and scripts from remote sources during setup and operation. This includes downloading the Camoufox browser (~300MB), the yt-dlp binary via curl in a post-install.sh script, and potential third-party plugins from unverified URLs.\n- [DATA_EXFILTRATION]: The skill is designed to manage and inject sensitive session cookies for platforms like LinkedIn and Amazon. The handling of plaintext cookie files in the ~/.camofox/cookies/ directory and the ability to export full storage states (/sessions/:userId/storage_state) creates a surface for credential theft and session hijacking.\n- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface. It retrieves and processes 'accessibility snapshots' from external, untrusted websites. These snapshots are then presented to the AI agent to drive navigation and interaction. A malicious website could manipulate its accessibility tree metadata to trick the agent into performing unauthorized actions using the browser's authenticated tools.\n
Ingestion points: Untrusted web content is ingested via the /tabs/:tabId/snapshot and /youtube/transcript endpoints.\n
Boundary markers: None identified in the snapshot data returned to the agent.\n
Capability inventory: The skill provides tools for clicking elements, typing text, navigating to URLs, and interacting with browser sessions.\n
Sanitization: Cookie data is filtered against an allowlist, but the primary interaction data (accessibility tree) is passed to the agent based on untrusted external DOM structures.

camofox-browser