reg-browser-bot Security Report — Trusted | ClawSafe

5 /100

reg-browser-bot

Browser automation toolkit for multi-account management, data collection, automated operations, and captcha recognition on e-commerce and social platforms

This is a legitimate browser automation toolkit for account management, data collection, and automated operations on e-commerce/social platforms. The codebase has sound security design with Fernet encryption for passwords, cookie domain validation, no dangerous deserialization, and no credential theft or exfiltration behavior.

Skill Namereg-browser-bot

Duration76.1s

Enginepi

✓

Safe to install

This skill is safe to use. No malicious behavior detected. The only minor concern is the auto-installation of the cryptography package as a fallback in security.py, which is defensible for a dependency that directly enables the skill's core encryption feature.

Findings 2 items

Severity	Finding	Location
Low	Fallback auto-installation of cryptography package Supply Chain security.py:28-30 automatically runs 'pip3 install cryptography' if the cryptography package is not available. While this enables the skill's core encryption feature, it could install an unexpected version of cryptography in constrained environments. `except ImportError: import subprocess subprocess.check_call(['pip3', 'install', 'cryptography', '--break-system-packages'])` → Consider pinning to a specific version (e.g., cryptography>=3.4) in a requirements.txt and document it as a required dependency. Let installation fail clearly rather than auto-installing.	`security.py:28`
Low	Pre-scan misidentified Chrome version numbers as IP addresses Doc Mismatch The pre-scan flagged browser_config.py lines 43-46,63 as hardcoded IP addresses (120.0.0.0, 119.0.0.0, etc.). These are actually Chrome and Opera version numbers embedded in User-Agent strings (e.g., 'Chrome/120.0.0.0', 'OPR/106.0.0.0'). No actual IP addresses or C2 infrastructure exists. `"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"` → No action needed. Pre-scan false positive — the values are standard browser UA version strings.	`browser_config.py:43`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ+WRITE`	`READ+WRITE`	✓ Aligned	account.py writes JSON to ~/.openclaw/accounts/, explicitly declared in SKILL.md…
Network	`READ`	`READ`	✓ Aligned	collector.py navigates to taobao/jd/douyin, explicitly declared in SKILL.md over…
Shell	`NONE`	`NONE`	—	security.py:29 uses subprocess only to install cryptography package as a depende…
Environment	`NONE`	`NONE`	—	security.py:37 reads REG_BROWSER_KEY env var for key override only — no iteratio…
Skill Invoke	`NONE`	`NONE`	—	No cross-skill invocation found
Clipboard	`NONE`	`NONE`	—	Not used anywhere in codebase
Browser	`READ+WRITE`	`READ+WRITE`	✓ Aligned	Selenium/Playwright browser automation, declared in SKILL.md Phase D
Database	`READ+WRITE`	`READ+WRITE`	✓ Aligned	SQLite in ~/.config/reg-browser-bot/, declared in SKILL.md Phase B SQLite storag…

5 High 19 findings

📡

High IP Address 硬编码 IP 地址

120.0.0.0

browser_config.py:43

📡

High IP Address 硬编码 IP 地址

119.0.0.0

browser_config.py:44

📡

High IP Address 硬编码 IP 地址

118.0.0.0

browser_config.py:45

📡

High IP Address 硬编码 IP 地址

121.0.0.0

browser_config.py:46

📡

High IP Address 硬编码 IP 地址

106.0.0.0

browser_config.py:63

🔗

Medium External URL 外部 URL

http://127.0.0.1:7890

SKILL.md:251

🔗

Medium External URL 外部 URL

https://www.baidu.com

SKILL.md:500

🔗

Medium External URL 外部 URL

https://s.taobao.com/search?q=

collector.py:234

🔗

Medium External URL 外部 URL

https://search.jd.com/Search?keyword=

collector.py:284

🔗

Medium External URL 外部 URL

https://www.douyin.com/search/

collector.py:328

🔗

Medium External URL 外部 URL

https://item.jd.com/123.html

collector.py:400

🔗

Medium External URL 外部 URL

https://www.example.com/login

pipeline.py:397

🔗

Medium External URL 外部 URL

https://www.douyin.com

poster.py:108

🔗

Medium External URL 外部 URL

https://creator.douyin.com/create-micro-site

poster.py:114

🔗

Medium External URL 外部 URL

https://creator.xiaohongshun.com/publish/publish

poster.py:145

🔗

Medium External URL 外部 URL

https://weibo.com

poster.py:184

🔗

Medium External URL 外部 URL

https://weibo.com/compose

poster.py:190

🔗

Medium External URL 外部 URL

https://www.douyin.com/creator/dm

poster.py:226

📧

Info Email 邮箱地址

[email protected]

account.py:660

File Tree

21 files · 286.4 KB · 9107 lines

Python 19f · 8223L Markdown 1f · 857L JSON 1f · 27L

├─ 🐍 __init__.py Python 113L · 2.5 KB

├─ 📋 _meta.json JSON 27L · 1.1 KB

├─ 🐍 account.py Python 846L · 27.8 KB

├─ 🐍 browser_config.py Python 750L · 25.5 KB

├─ 🐍 browser_manager.py Python 247L · 8.4 KB

├─ 🐍 browser_playwright.py Python 641L · 18.3 KB

├─ 🐍 browser.py Python 514L · 16.1 KB

├─ 🐍 captcha.py Python 899L · 30.1 KB

├─ 🐍 collector.py Python 470L · 14.4 KB

├─ 🐍 exceptions.py Python 57L · 1.1 KB

├─ 🐍 migrate_json_to_sqlite.py Python 330L · 10.7 KB

├─ 🔑 migrate_passwords.py ⚠ Python 197L · 6.3 KB

├─ 🐍 models.py Python 505L · 16.9 KB

├─ 🐍 pipeline.py Python 628L · 18.8 KB

├─ 🐍 poster.py Python 456L · 14.9 KB

├─ 🐍 proxy.py Python 316L · 9.5 KB

├─ 🐍 security.py Python 200L · 6.2 KB

├─ 📝 SKILL.md Markdown 857L · 22.9 KB

├─ 🐍 task_scheduler.py Python 501L · 15.9 KB

├─ 🐍 tool.py Python 440L · 15.9 KB

└─ 🐍 utils.py Python 113L · 3.2 KB

Dependencies 8 items

Package	Version	Source	Known Vulns	Notes
`selenium`	`>=4.0.0`	pip	No	Standard browser automation framework
`cryptography`	`latest (auto-install fallback)`	pip	No	Auto-installed as fallback; should be declared as a hard dependency
`ddddocr`	`>=1.6.0`	pip	No	Pure Python OCR, Phase A upgrade
`playwright`	`>=1.40.0`	pip	No	Phase D browser engine, dual-engine with Selenium
`opencv-python`	`>=4.0.0`	pip	No	Used for slider captcha template matching
`apscheduler`	`*`	pip	No	Version not pinned
`schedule`	`*`	pip	No	Version not pinned
`undetected-chromedriver`	`>=3.0.0`	pip	No	Optional anti-detection wrapper

Security Positives

✓ Fernet (AES-CBC) encryption with PBKDF2 key derivation for all stored passwords — security.py

✓ Cookie domain validation prevents cross-domain cookie injection — account.py:163-172

✓ No use of pickle, eval(), exec(), or other dangerous deserialization/code execution patterns

✓ No credential harvesting: does not read ~/.ssh, ~/.aws, .env, or iterate os.environ for secrets

✓ No data exfiltration: all collected data stored locally in ~/.openclaw/ and ~/.config/reg-browser-bot/

✓ No obfuscation: no base64-encoded execution, HTML comment hidden instructions, or anti-analysis tricks

✓ No remote script execution (curl|bash / wget|sh) — all dependencies declared

✓ Playwright and Selenium are well-established browser automation frameworks with no known malicious history

✓ No persistence mechanisms: no cron jobs, startup scripts, or backdoor installation

✓ SKILL.md accurately documents all capabilities, file paths, dependencies, and architecture phases

Scan Report

Findings 2 items

File Tree

Dependencies 8 items

Security Positives