Turn any website into a CLI command. 36 platforms, 103 commands — Twitter, Reddit, GitHub, YouTube, Zhihu, Bilibili, Weibo, and more. Uses OpenClaw's browser...
Security Analysis
high confidenceThe skill's purpose matches the bb-browser CLI, but the runtime instructions reference OpenClaw tooling and community adapter downloads that are not declared in the skill metadata, creating incoherence and a modest safety risk.
The skill claims to turn websites into CLI commands and correctly requires the bb-browser binary; however the SKILL.md repeatedly requires/assumes OpenClaw's browser (e.g., 'openclaw browser open ...' and the mandatory '--openclaw' flag). The manifest does not declare the openclaw binary or any env/config access. This mismatch between description/instructions and declared requirements is incoherent.
Instructions are mostly scoped to running bb-browser commands, but they also (a) instruct the user/agent to open OpenClaw's browser for login and rely on browser login state, and (b) instruct 'bb-browser site update' to 'pull community adapters'—which implies fetching and installing third‑party adapters/code at runtime. Those operations involve network downloads and use of another CLI (openclaw) that are not represented in the declared allowed-tools or required binaries.
This is an instruction-only skill with no install spec or code files, so nothing will be written to disk by the skill bundle itself. The primary runtime risk comes from bb-browser's own behavior (e.g., updating/pulling community adapters), not from a packaged installer in the skill.
The skill declares no environment variables and requests no credentials. However it depends on the user's OpenClaw browser login state (cookies/session) to access authenticated pages; that reliance is reasonable for the stated purpose but is not declared as a required capability and can expose authenticated content if bb-browser adapters fetch or transmit sensitive data.
always is false (default) and the skill is user-invocable. Autonomous invocation is allowed by default on the platform; there is no additional persistence requested by this skill's metadata.
Guidance
This skill is broadly coherent with its stated goal of wrapping websites as bb-browser commands, but there are two important mismatches to verify before installing: (1) SKILL.md assumes OpenClaw's 'openclaw' browser CLI and use of '--openclaw', yet the skill metadata does not list openclaw as a required binary or allowed tool—confirm that your agent environment provides the OpenClaw browser CLI and that the skill will be permitted to call it; (2) the quick start tells users to run 'bb-browser site update' to pull community adapters, which likely downloads third-party code at runtime—review where those adapters come from (their source URLs/reputations) and inspect them before allowing updates. Also ask the publisher for a homepage/source and a provenance statement for adapters. If you proceed, install a trusted bb-browser binary from an official source, avoid blindly running 'site update' until you can audit the downloaded adapters, and be cautious about running commands that use your browser login state (they can access pages available to your logged-in account).
Latest Release
v0.6.0
- Major update: Skill now focuses on running structured data "adapters" for 36 platforms (103 commands) via bb-browser's site subcommands. - Adapters run directly through OpenClaw's browser with --openclaw, no Chrome extension or daemon needed. - Adds quick guide for extracting structured results from Twitter, Reddit, Weibo, GitHub, Zhihu, and more. - Includes built-in jq filtering for streamlined data extraction from all outputs. - Dropped the previous skill documentation covering manual, low-level browser automation; removed snapshot-refs.md. - Stronger emphasis on CLI integration, adapter usability, and instructions for login-required workflows.
More by @yan5xu
Published by @yan5xu on ClawHub
