ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

axelhu-playwright-scrape

v1.2.2

Scrapes dynamic webpages using Playwright with system Chrome in simple or stealth mode, returning JSON with title, content, images, and links.

0· 58·0 current·0 all-time
by@axelhu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Functionality (Playwright + system Chrome) matches the skill's stated purpose: scraping dynamic pages and reusing a logged-in Chrome profile is a legitimate approach for authenticated scraping. The included scripts and examples are consistent with that goal, though some practices (reusing Default profile) are risky even if functionally coherent.
!
Instruction Scope
SKILL.md explicitly instructs creating a ~/bin/google-chrome wrapper and adding it to ~/.bashrc (persistently changing user behavior), starting Chrome with --remote-debugging-port, reusing the Default Chrome profile, and programmatically extracting cookies (example shows reading SESSDATA and calling B站 APIs). Those instructions go beyond simple scraping and enable access to all cookies/session state and persistent remote debugging exposure.
Install Mechanism
No packaged install spec; user is expected to npm install playwright in a workspace. No external/untrusted downloads or automatic code installation are specified in the skill itself. This is lower-risk than remote downloads, but requires running npm install manually.
!
Credentials
The skill declares no required env vars, but the instructions rely on $HOME, ~/.config/google-chrome/Default, PATH/.bashrc modifications and DISPLAY. More importantly, it instructs accessing browser cookies and using them to call site APIs — access to cookies and profile data is far broader than a simple anonymous scraper needs and is sensitive.
!
Persistence & Privilege
The SKILL.md recommends persistent changes: adding a wrapper script to ~/bin and exporting PATH in ~/.bashrc so every shell runs Chrome with remote debugging enabled. That creates lasting changes to the user environment and increases attack surface (remote debugging accessible on localhost) and can unintentionally expose session state to other local processes.
What to consider before installing
This skill will work for logged-in, JS-heavy sites, but it asks you to reuse your default Chrome profile and to add a wrapper that forces Chrome to start with a remote debug port — both actions expose cookies/session tokens and make persistent environment changes. Before installing/running: 1) avoid using the Default profile — create a dedicated user-data-dir for scraping so your personal cookies/passwords aren't exposed; 2) do NOT blindly add the wrapper to your PATH or ~/.bashrc — instead run Chrome with the debug flag explicitly when needed; 3) prefer running npm install/playwright and the scraper inside an isolated account, container, or VM; 4) review scripts (start-chrome-debug.sh, the wrapper) and remove any automatic PATH modifications; 5) if you don't want the skill to access logged-in state, use headless mode or a fresh profile; and 6) treat any automated extraction of cookies (SESSDATA) as high-sensitivity — don't allow it unless you understand and accept the risks.

Like a lobster shell, security has layers — review code before you run it.

latestvk979x1hh1kz1kr32ga9g5nqmkn843c8a

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments