Jonathon's AI Wiki

CloakBrowser — Stealth Chromium with Source-Level Fingerprint Patches (CloakHQ)

5 min read

Repo: github.com/CloakHQ/CloakBrowser Stars: 19,458 (at ingest 2026-05-23) Language: Python License: MIT Source: raw/gh-star-cloakhq-cloakbrowser.md

Drop-in Playwright replacement built on a modified Chromium with source-level fingerprint patches rather than runtime monkey-patches. Headline claim: passes 30/30 bot-detection tests. Sits in the same browser-automation surface as Browserbase Autobrowse (managed cloud) and TinyFish (full-Chromium fetch), but is self-hosted + explicitly anti-detect. Dual-use framing required — the topic tags include captcha-bypass, cloudflare-bypass, and undetected, which is a different ethics layer from the existing browser-automation cluster.

Key Takeaways

  • Drop-in Playwright replacement — same API surface, so existing Playwright scripts work with minimal modification. Lowers integration cost meaningfully vs. building against a bespoke stealth-browser API.
  • Source-level fingerprint patches — modifies Chromium at the source layer rather than injecting JS at runtime. Closer to undetectable by definition: there is no navigator.webdriver shim to detect because the property never returned true to begin with.
  • 30/30 bot-detection tests passed — falsifiable claim, reproducible against public test suites (bot.sannysoft.com, creepjs, fingerprintjs demos). See verification section.
  • Star count 19,458 on a ~3-month-old repo (created 2026-02-22). Same young-but-high-star caveat as NemoClaw / multica-ai’s skills repo. MIT-licensed Python lowers verification cost.
  • Sits in the security gray zone. Topic tags explicitly include anti-detect, cloudflare-bypass, captcha-bypass, undetected. This wiki’s strict-bar flags these as a separate ethics layer from generic browser automation — see Verify section.
  • Marketing-and-productivity-legitimate use cases exist — testing your own bot-detection layer, internal QA against your own site, accessibility regression testing, scraping content you own across mirrors. These are orthogonal to the dual-use side.
  • Comparison to the existing cluster. Browserbase Autobrowse is managed-cloud with bot-evasion as a side-effect of high-quality emulation; TinyFish is full-Chromium fetch positioned around content retrieval. CloakBrowser is the first in-wiki entry explicitly framed as stealth-first / detection-bypass-first.
  • No first-party benchmark vs. competitors, no maintainer talk, no third-party walkthrough found at ingest. The 30/30 claim rests on the repo’s own assertions.

Implementation

Tool/Service: CloakHQ/CloakBrowser (Python, MIT, stealth Chromium with source-level fingerprint patches) Setup: Python install (likely pip install + a Chromium binary download step — the patched binary is the load-bearing artifact, can’t be reproduced via npm/pip alone). Exact wheel / binary distribution mechanism needs to be read from the repo README. Cost: Free / open-source (MIT). Note: running a patched Chromium binary requires either trusting CloakHQ’s build pipeline or building from source yourself — non-trivial. Integration notes:

  • API-compatible with Playwright, so scripts targeting playwright.async_api / playwright.sync_api should work with the import swapped.
  • Verify the binary before running. Patched Chromium binaries are an obvious attack vector — supply-chain compromise here would be high-impact. Check binary signatures, prefer building from source for production use.
  • For QA / internal-testing use cases: drop into existing Playwright test suites, run against your own production site, measure what your own bot-detection layer catches vs. lets through. This is the highest-leverage legitimate use case.
  • ToS implications vary by target. Using CloakBrowser to scrape a site whose ToS prohibits automation is a violation of those ToS regardless of detection — bypass tooling doesn’t change the legal/contractual layer. Some targets explicitly criminalize circumvention (e.g., CFAA-adjacent jurisprudence in the U.S.).
  • Marketing/productivity-legitimate slot: internal QA, accessibility regression, mirror-content scraping (where you own the content), competitive-pricing scraping where the target has no scraping prohibition.

Verify before citing

This article inherits the verification caveat from the raw stub. Strict-bar applies on two axes here — young age + high stars (structural) AND dual-use framing (ethics layer).

  • Star count 19,458 on a ~3-month-old repo (created 2026-02-22). Same structural caveat as the other Jan-Feb 2026 high-star Claude/AI repos. MIT + clear technical claim raises the prior.
  • 30/30 tests passed is reproducible. Run CloakBrowser against bot.sannysoft.com, creepjs, fingerprintjs demo. The number either holds or it doesn’t. Until reproduced independently it is a vendor-side claim.
  • Patched-binary supply-chain risk. The load-bearing artifact is a modified Chromium binary. Compromise of the build pipeline or CloakHQ’s release process means every install is compromised. This is a separate verification layer from the source code itself.
  • Dual-use ethics layer. The wiki’s domain is “applied AI for marketing & productivity.” Anti-detect / Cloudflare-bypass / captcha-bypass tooling sits on the security gray zone. Marking explicitly: (a) the wiki indexes this as infrastructure-aware comparison, not endorsement; (b) ToS implications vary by target — bypass tooling doesn’t legalize circumvention; (c) legitimate use cases exist (testing your own bot-detection, internal QA, accessibility regression) and are how a marketing/productivity practitioner should approach this.
  • What would falsify this. If reproduction shows: (i) 30/30 is closer to 18/30 or 25/30 in practice, (ii) the “source-level patches” are actually runtime monkey-patches with a different name, (iii) the binary fails on widely-deployed enterprise bot-detection (Cloudflare Bot Management, DataDome, PerimeterX) at default settings, or (iv) the maintainer disappears / repo goes unmaintained — downgrade significantly or archive.

Try It

  1. Pull the repo and read the install instructions: gh repo clone CloakHQ/CloakBrowser && cd CloakBrowser && cat README.md. Identify how the patched Chromium binary is distributed (wheel? script-download? self-build?).
  2. Reproduce the 30/30 claim. Install in an isolated environment, run against bot.sannysoft.com + creepjs.com + fingerprintjs demo. Count failures. Compare against vanilla Playwright in the same environment.
  3. Legitimate-use evaluation. Point it at your own site’s bot-detection layer (if you have one). Measure what gets through. This is the highest-leverage internal-QA application.
  4. Compare side-by-side to Browserbase Autobrowse on a content-retrieval task (managed-cloud vs. self-hosted, identical target). Different cost profiles, different deployment shapes.
  • Browserbase Autobrowse — managed-cloud cousin; bot-evasion as side-effect of high-quality emulation rather than primary objective
  • TinyFish — full-Chromium fetch-content surface already in this wiki; complementary scope (content retrieval) rather than competing
  • ScrapeCreators — adjacent web-scraping infrastructure
  • Shopify Review Scraper — concrete scraping workflow; CloakBrowser would be a swap-in for the browser layer where target sites block default Playwright

Graph View

Backlinks