openclaw browser open https://chat.deepseek.com and login it, then input questions from user's messages, extract response of deepseek chat to reply user.
Security Analysis
high confidenceThe skill's stated purpose (automating DeepSeek via a browser) matches much of its instructions, but it instructs the agent to send QR-code screenshots via many local/external messaging channels and references environment variables and local CLI commands that are not declared — this mismatch could lead to unintended credential or session-exposure and requires caution.
The skill clearly aims to automate chat.deepseek.com in a browser and extract DOM text — that is coherent. However, the instructions call out many messaging channels (iMessage, WhatsApp, QQBot, Feishu, WeCom, Slack) and local exec commands to deliver QR screenshots, which implies access to platform messaging capabilities not declared in metadata (no required config, no declared credentials). Requesting to use multiple system messaging tools is disproportionate to a minimal 'open-and-read' browser automation skill and may require privileged local access.
SKILL.md instructs the agent to snapshot the page (including a QR login image), poll for login, and actively send that screenshot to various channels via exec'd CLIs (imsg, openclaw message send, etc.). The instructions also reference process.env.DEEPSEEK_PHONE and use direct shell execution. Sending screenshots of login QR codes and running arbitrary exec commands expands scope beyond mere DOM scraping and can expose session/credential data to external recipients.
No install spec and no code files beyond SKILL.md and package.json — instruction-only. This is lower risk from an install-supply chain perspective.
Registry metadata lists no required env vars or credentials, yet the instructions reference process.env.DEEPSEEK_PHONE and expect messaging tooling/credentials to be available. The skill expects access to messaging channels and local CLIs without declaring the necessary environment/configuration, which is an incoherence and increases the chance of misconfiguration or secret leakage.
The skill is not marked always:true, but it instructs autonomous actions that could transmit sensitive images (QR codes) via multiple channels. Autonomous invocation combined with the ability to exec local messaging commands and send screenshots increases blast radius if misused. There is no explicit requirement or safeguards in the instructions to ensure screenshots are only sent to an intended, explicitly-authorized recipient.
Guidance
This skill automates a browser to log into chat.deepseek.com and sends QR-code screenshots to messaging channels using local CLI commands. Before installing or enabling it: - Understand that QR screenshots can grant access to accounts — sending them to any channel risks account takeover. - The skill references process.env.DEEPSEEK_PHONE and uses local messaging CLIs but declares no required env vars or credentials; verify and lock down any environment variables and recipients. - Only grant this skill to agents you fully trust and only on machines where the messaging CLIs it calls (imsg, openclaw message send, etc.) are safe and intended to be used. - If you don't want automated sending of images, decline or edit the skill to remove the exec/send steps and require a human-confirmation step before sharing screenshots. - Consider running it in a sandboxed environment or reviewing the instructions line-by-line to ensure it won't send data to unexpected recipients.
Latest Release
v1.0.3
- Added "Browser" to the list of allowed tools, enabling usage of the Browser tool directly. - Introduced a simple, reliable DeepSeek response extraction function and provided guidance to always use this method for extracting responses from the page. - Updated documentation to highlight and explain the new recommended extraction method for agents, enhancing consistency and reliability. - No functional code changes outside documentation and metadata.
More by @qidu
Published by @qidu on ClawHub
