sjht-web-screenshot
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a straightforward Puppeteer screenshot tool, but it can use web-app credentials, run Chromium with sandboxing disabled, and save authenticated page screenshots locally.
Install only if you need automated web screenshots. Use trusted, pinned browser dependencies where possible; run against trusted sites or inside a container; provide least-privileged credentials; avoid storeLogin unless necessary; and save/review screenshots in a safe local folder before sharing.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you provide real credentials, the skill can view and capture pages available to that account.
The skill explicitly supports receiving web-app credentials so it can log in before taking screenshots. This is purpose-aligned for authenticated pages, but it grants access to protected account content.
"login.credentials" | ✅* | `{ username, password }`Use least-privileged or test accounts when possible, keep config files private, and review screenshots before sharing them.
A careless or untrusted config could make the browser invoke application actions beyond simply navigating and taking screenshots.
The advanced login path can invoke a configured Pinia store method in the target page. This is documented as a login fallback, but it is a broad in-page automation escape hatch if configured for methods other than login.
This directly calls `pinia._s.get(storeName).method(...args)` via CDP.
Prefer normal form login; only use storeLogin with trusted configs and a clearly understood login-only store method.
A malicious or compromised website would have less browser sandbox protection than usual.
The script launches Chromium with sandbox protections disabled. This is common in some headless/container setups, but it reduces isolation when visiting untrusted sites.
'--no-sandbox', '--disable-setuid-sandbox'
Use this against trusted targets, or run it in a disposable/containerized environment; remove no-sandbox flags if your Chromium setup supports it.
Different or compromised local installations of Puppeteer/Chromium could affect behavior.
The skill relies on globally installed runtime components without pinned versions in the provided artifacts, so the actual code executed depends on the local environment.
- `puppeteer-core` (npm global) - `chromium-browser` (`/usr/bin/chromium-browser`)
Install Puppeteer and Chromium from trusted sources, keep them updated, and consider pinning versions in a controlled environment.