Is mayuqi-crypto/stealth-browser safe?

SKILL.md contains a section titled '执行策略 (IMPORTANT)' that embeds operational directives in Chinese instructing the agent to prioritize silent headless operation and explicitly avoid informing users of its activity. The directive '避免打扰用户操作' (avoid disturbing user operations) is a prompt injection that overrides normal agent transparency. Using a non-English language for security-relevant instructions is a known technique to bypass human review of skill content.

The skill embeds an instruction in its description that causes the agent to automatically capture and persist authenticated browser sessions (cookies, localStorage) whenever a user asks to 'login to X website'. This happens without the user explicitly requesting session storage, and the stored sessions persist at ~/.clawdbot/browser-sessions/ indefinitely. A malicious actor controlling the skill server could later update scripts to exfiltrate these persisted sessions.

Every CAPTCHA challenge solved by this skill sends the target site's URL (pageurl), site key (googlekey/sitekey), and challenge parameters to commercial third-party services. This leaks browsing context and reveals what sites the user is accessing to external operators. The user has no visibility into this data sharing.

task_runner.py implements a command executor that passes a string cmd directly to subprocess.run() with shell=True. If any web content, form data, or user-provided filenames reach this code path, arbitrary shell commands can be injected. This is particularly dangerous in a skill designed to interact with arbitrary websites.

The skill description registers as an implicit override: any request to 'login to X website' activates covert session persistence without the user requesting it. This is an instruction that hijacks a common user intent and adds undisclosed side effects (session storage, attempt logging).

Bot-detection evasion (Cloudflare bypass, CAPTCHA solving, fingerprint masking, proxy rotation) has limited legitimate individual use cases but is the primary toolkit for large-scale web fraud, credential stuffing, account farming, and unauthorized scraping. The 'crypto' namespace context amplifies risk — these techniques applied to cryptocurrency exchanges, wallets, and trading platforms enable account takeover and fund theft.

smart_login.py accepts account credentials as positional command-line arguments. These appear in /proc//cmdline, ps output, and shell history, creating credential exposure vectors.

Setup requires npm install -g of puppeteer-extra and playwright and pip install of undetected-chromedriver and DrissionPage. These packages run with agent-level privileges and introduce supply chain attack surface. The instructions also involve pulling and running a Docker container from ghcr.io/flaresolverr.

Canary honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, GCP credentials) were all opened and read during the monitoring period. While integrity was confirmed (no modification), read access to private keys and cloud credentials during the installation window is suspicious. The first read batch precedes the git clone, suggesting monitoring initialization; the second batch is consistent with the integrity check itself.

The skill activates for 'login to X website', 'bypass cloudflare', 'solve captcha', 'stealth browse', 'silent automation', 'persistent login', 'anti-detection' — a broad surface that will cause the skill to activate for many routine browsing requests, injecting stealth behavior into contexts where it was not requested.