Reverse-engineering a real product is one of the best ways to actually understand how the modern web works. So I built wellfound-bot — an open-source (MIT, Python) project that turns your own Wellfound (ex-AngelList Talent) job hunt into a single command, and documents the whole thing as a learning resource.
The job-hunt part is the hook. The interesting part is the three layers of web automation I had to peel back to get there — each more "invisible" than the last.
Layer 1 — Human-like browser automation (Playwright)
Driving a browser is easy. Driving one that doesn't look like a robot is the actual skill. This layer uses Playwright with curved mouse paths, hovers, think-pauses, per-character typing with randomized timing, and rate limits — to understand what "human-like" really means at the event level.
Layer 2 — Read-only API capture over CDP
The moment you launch an automation browser, navigator.webdriver flips to true and you're flagged. So instead of faking a browser, this layer attaches to your own real Chrome over the Chrome DevTools Protocol and observes the GraphQL traffic the app already makes as you browse. You learn the API by watching it — read-only, navigator.webdriver stays false.
Layer 3 — Pure-HTTP replay with a Chrome TLS/JA3 fingerprint
Once you understand the endpoints, drop the browser entirely. Using curl_cffi, it replays captured requests over plain HTTP with Chrome's exact TLS/JA3 fingerprint and your cookies — indistinguishable from real Chrome at the network layer. No automation flags, no headless tells.
The one-command agent
python wf_agent.py --skills React --remote --limit 5
# or natural language (optional, via Claude):
python wf_agent.py "apply to 5 remote React jobs with pay"
Stack & setup
Python 3.10+, Playwright, curl_cffi, GraphQL. MIT licensed.
pip install -r requirements.txt && playwright install chromium
python login.py # one-time manual login
python run.py
⚠️ Educational / personal-use only
Built to study web automation and API reverse-engineering — and to automate your own account, at your own risk. Automating Wellfound is against their ToS and accounts can be suspended. Don't mass-apply, scrape at scale, or operate accounts that aren't yours. The value is in understanding the techniques, not abusing them.
Top comments (0)