Safety Report

Stealth Browser

Name: Stealth Browser
Rating: 3 (4 reviews)
Author: kesslerio

Anti-bot browser automation using Camoufox and Nodriver. Bypasses Cloudflare Turnstile, Datadome, and aggressive anti-bot on sites like Airbnb and Yelp. Use when standard Playwright/Selenium gets blocked.

3,190Downloads

7Installs

4Stars

1Versions

Workflow Automation3,323 Browser Automation1,737 Cloud Storage1,005 Automated Testing538

Security Analysis

medium confidence

Suspicious0.12 risk

The skill's code and instructions broadly match its anti-bot purpose, but there are inconsistencies and an install-time risk (a large custom browser binary is downloaded via camoufox.install()) plus missing referenced files — review the Camoufox source and proxy/cookie handling before installing.

Feb 11, 20268 files4 concerns

Purpose & Capabilitynote

The name/description (stealth browser to bypass anti-bot) align with the included scripts (camoufox-fetch, camoufox-session, curl-api) and the requirement for distrobox (pybox container). However documentation and examples reference 'Nodriver' and a scripts/nodriver-fetch.py that is not present in the bundle — that's an inconsistency that reduces confidence. The skill also expects to download and run a custom Firefox fork (Camoufox) which is coherent with the stated goal but introduces additional supply-chain trust requirements.

Instruction Scopenote

Runtime instructions are explicit about running distrobox-enter and invoking scripts with proxy arguments, exporting proxies, and creating persistent profiles under ~/.stealth-browser. They request/perform local file I/O (profile and cookie import/export) which is necessary for session reuse but means the skill will store sensitive session cookies locally. The instructions do not attempt to read unrelated system config or hidden credentials, but storing and importing cookies and operating with proxy credentials are sensitive operations and should be treated cautiously.

Install Mechanismconcern

There is no registry 'install' spec; installation is driven by scripts/setup.sh and by instructions to pip install camoufox and curl_cffi and to call camoufox.install(), which will download a ~700MB custom Firefox build. That is a high-risk install action because a large native binary is fetched and extracted at runtime from upstream sources not declared in the skill metadata — assess and verify the upstream Camoufox distribution before use. The setup also runs package installs (dnf) inside the container which is expected, but still expands attack surface.

Credentialsnote

The skill declares no required env vars, which matches the bundle. The documentation suggests setting HTTP_PROXY/HTTPS_PROXY or passing proxy credentials in URLs; those credentials are necessary for the stated goal (residential proxies). There is no request for unrelated cloud or system credentials. However, the skill handles cookies and sessions (saves to ~/.stealth-browser/profiles) — these files can contain sensitive auth tokens and should be protected and audited.

Persistence & Privilegeok

always:false and normal model invocation are used. The skill creates its own profile directory (~/.stealth-browser) and persists cookies, which is within its stated purpose and correctly uses restrictive file permissions in code (chmod 700/600). It does not request system-wide privileges or modify other skills' configs.

Guidance

This skill appears to implement what it claims (stealth browsing + TLS spoofing), but be cautious before installing: - Verify Camoufox: camoufox.install() will download and install a large custom Firefox fork. Confirm the upstream source (PyPI package homepage or GitHub releases) and vet the binary before running it in your environment. - Missing referenced files: README/SKILL examples mention nodriver-fetch.py but that file isn't bundled — ask the author or be prepared for mismatched docs. - Sensitive local storage: the session manager saves cookies under ~/.stealth-browser/profiles (mode 700) and can import/export them. Treat these files as sensitive (they can contain session tokens). Don't import cookies from untrusted sources. - Proxy credentials: the skill expects residential/mobile proxies; those credentials may be passed on the command line or in environment variables. Avoid exposing real credentials in logs or shared environments. - Run isolated: execute this only in an isolated container or throwaway VM (distrobox/pybox as suggested helps) and inspect network activity during camoufox.install() and first runs. - If you need higher assurance: request the upstream Camoufox source (URL/zip checksum), or ask the maintainer to provide signed releases or an authoritative homepage. Presence of a verifiable upstream (GitHub releases, reputable vendor) would raise confidence. If you can't verify the Camoufox distribution or you're unwilling to risk third-party native binaries, do not install. If you proceed, restrict network access for the container where possible and audit downloaded files.

Latest Release

v1.0.0

Initial release: Camoufox and curl_cffi for anti-bot bypass

More by @kesslerio

Frontend Design Ultimate

36 stars

Academic Deep Research

24 stars

Finance News Briefings

7 stars

Phone Voice Agent

6 stars

SoulCraft

3 stars

TechMeme News

3 stars

Published by @kesslerio on ClawHub