ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

browser-auto-download

v1.0.1

Browser-automated file download with enhanced features. Auto-detects platform (Windows/macOS/Linux, 64/32-bit, ARM/Intel), handles multi-step navigation (homepage to platform-specific pages), captures auto-downloads triggered on page load, and falls back to button clicking when needed. Ideal for complex download flows where curl/wget fail due to client-side rendering, automatic downloads, or multi-page navigation. Features page scrolling for lazy content, extended wait times, and Golang support.

1· 1.9k·4 current·4 all-time
by@aaronxx
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description, SKILL.md, README, and the included Python script consistently implement Playwright-based browser automation to detect and save downloads and navigate multi-step pages. Required env/config/credentials are none, which is consistent with a local downloader tool.
Instruction Scope
Instructions direct the skill to open arbitrary target URLs, navigate, click elements, and capture download events — exactly what the description promises. The skill also offers a debug mode that saves screenshots, full page HTML and extracted text into ~/Downloads/browser-auto-download-debug; this can capture sensitive page content (forms, tokens) if used against authenticated or sensitive pages.
Install Mechanism
No install spec in the registry; the documentation instructs users to pip install playwright and run playwright install chromium. This is a standard dependency for the described functionality and proportional to the task.
Credentials
The skill requests no environment variables, credentials, or config paths. It uses the local filesystem (user Downloads folder) for output and debug artifacts — appropriate for a downloader but worth noting for privacy.
Persistence & Privilege
The skill is not always-enabled, does not request elevated agent privileges, and does not modify other skills or system-wide configs. It runs when invoked and stores output/debug files under the user's Downloads directory.
Assessment
This skill appears to do what it says: it launches a real browser via Playwright, opens the target URL, navigates and clicks to trigger downloads, and saves files locally. Before installing/using it: 1) be aware debug mode saves screenshots, the full page HTML and extracted text into your Downloads folder — avoid running debug against sites containing credentials or sensitive content; 2) run it in a controlled environment (VM/container) when testing unknown sites because pages' JavaScript will execute in a real browser; 3) ensure you trust the target URL(s) before allowing automatic clicks/downloads; 4) limit output_dir to a directory you control and monitor filesystem writes; and 5) verify and install Playwright from official sources (pip and playwright install) as required. If you want extra assurance, review the remainder of scripts/auto_download.py (the truncated tail) for any network callbacks or unusual outbound connections before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97da8evk2wf4ey97vhv1pcmfs80g4tc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments