webpage-reader-skill
WarnAudited by ClawScan on May 18, 2026.
Overview
The skill mostly matches its webpage-reading purpose, but it can automatically run system installation commands and loads arbitrary pages in Chrome with weak isolation.
Install only if you are comfortable with a webpage-reading skill that may attempt to install Chrome and that runs untrusted pages through Chrome. Prefer using it after manually installing Chrome, restrict inputs to ordinary http/https URLs you trust, and avoid using it for signed-in or sensitive pages unless the browser profile is isolated.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill on a machine without Chrome could attempt to change system software and may prompt for administrator privileges.
The main flow can trigger package-manager installation commands at runtime when Chrome is missing, including privileged Linux commands, without a separate install specification or explicit approval step in the code.
logger.info("Chrome not found, attempting to install...") ... subprocess.run(['brew', 'install', 'google-chrome'], check=True) ... subprocess.run(['sudo', 'apt-get', 'install', '-y', 'google-chrome-stable'], check=True)Make Chrome a declared prerequisite or separate reviewed install step; require explicit user approval before any package-manager command; document exactly which commands may run.
A malicious or compromised page is processed with reduced browser containment; local or internal URLs may also be fetched if Chrome accepts the provided URL.
The skill loads the supplied URL in Chrome while disabling Chrome's sandbox, and the artifacts do not show URL scheme or destination restrictions.
chrome_cmd = [ ... '--headless=new', '--no-sandbox', ... '--dump-dom', url ]
Avoid --no-sandbox unless strictly necessary, restrict accepted URLs to expected schemes such as http/https, and require user confirmation for local, private-network, or unusual destinations.
Depending on Chrome behavior on the user's system, requests could interact with existing browser state such as cookies or signed-in sessions, and returned HTML could include account-specific content.
The Chrome invocation does not specify an isolated temporary user-data directory or incognito profile before loading arbitrary URLs, so the browser session/profile boundary is not clearly controlled.
chrome_cmd = [ 'google-chrome' if platform.system() != 'Windows' else 'chrome', '--headless=new', ... '--dump-dom', url ]
Run Chrome with a fresh temporary --user-data-dir, avoid using existing cookies or profiles by default, and clearly declare any intended session or credential use.
The agent may see instructions embedded in a webpage; those instructions should not be treated as user commands.
The skill returns raw webpage HTML content to the agent. This is expected for a webpage reader, but webpage content is untrusted and can contain prompt-injection text.
result['content'] = content
Treat returned webpage content as data only, and ask the user before following any instructions found inside downloaded pages.