Chrome Screenshot
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: chrome-screenshot Version: 1.0.0 The skill uses `scripts/screenshot.sh` to render HTML via a local Python server and headless Chrome. It is classified as suspicious due to a vulnerability where shell arguments (such as width and filename) are interpolated directly into a `node -e` JavaScript string without sanitization, potentially allowing arbitrary code execution if the agent processes untrusted input. Furthermore, the script's use of `python3 -m http.server` exposes the entire directory containing the target HTML file on a local port (8877), and Chrome is launched with the high-risk `--no-sandbox` flag.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A maliciously crafted filename, output path, or width argument could make the agent run unintended local code under the user's account.
WIDTH, the HTML filename, and OUTPUT are inserted directly into JavaScript source passed to node -e. If those values contain quotes or JavaScript syntax, they can break out of the intended literals and execute arbitrary Node.js code.
await page.setViewport({width: $WIDTH, height: 900}); ... await page.goto('http://127.0.0.1:$PORT/$NAME' ...); ... await page.screenshot({path: '$OUTPUT', fullPage: true});Validate width as an integer, pass paths through argv or environment variables instead of interpolating into node -e, and JSON-escape or encode any value embedded into JavaScript or URLs.
During rendering, other local processes could access files served from that directory, and untrusted HTML would run in a less isolated browser process.
The script starts a localhost web server for the whole HTML directory and disables Chrome sandboxing. This is aligned with screenshot generation, but it increases risk if the HTML or directory contents are untrusted.
python3 -m http.server "$PORT" --bind 127.0.0.1 & ... args: ['--no-sandbox', '--disable-setuid-sandbox']
Use only trusted, locally authored HTML in non-sensitive directories; consider serving only the target file and avoiding --no-sandbox when Chrome can run safely without it.
The behavior depends on whatever global puppeteer-core package is installed on the machine, which may vary by version or provenance.
The skill relies on a globally installed npm package without pinning a version. This is expected for the stated Chrome/puppeteer purpose, but users should understand the dependency source and version.
puppeteer-core installed globally: `npm install -g puppeteer-core`
Prefer a pinned dependency version or a reviewed local package setup, and document required binaries in metadata/install requirements.