Neomano Web Snapshot (Headless)
PassAudited by ClawScan on May 1, 2026.
Overview
This skill does what it says—installs Playwright/Chromium, opens a requested URL in a headless browser, and saves a screenshot—with no evidence of hidden data theft, persistence, or credential use.
This appears safe for its stated purpose. Before installing, be comfortable with it downloading Playwright/Chromium, visiting the requested URL from your machine, and saving PNG files locally. Keep screenshot outputs in a local snapshots folder and avoid using it against private internal sites unless you intend to capture them.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill can download and store third-party browser automation components on the machine.
The setup flow downloads npm dependencies and a browser binary. This is expected for Playwright-based screenshots, but it relies on external package/browser provenance during setup.
bun install # Install Chromium for Playwright (headless) bunx playwright install chromium
Run setup only for a skill source you trust, and prefer using the included lockfile or pinned dependency versions where possible.
The machine will make network requests to the target page and render its active web content in headless Chromium.
The skill launches a headless browser and loads the provided URL, which means normal webpage JavaScript may run in the browser context. This is central to rendering screenshots.
const browser = await chromium.launch({ headless: true });
const page = await browser.newPage({ viewport: { width: 1365, height: 768 } });
await page.goto(args.url, { waitUntil: "networkidle", timeout: args.timeoutMs });Use it for URLs you intend to visit, and avoid pointing it at sensitive internal services unless that is explicitly desired.
If given an unsafe output path, the script could create directories or overwrite a writable file with a PNG screenshot.
The screenshot output path is resolved directly from the command argument and directories are created recursively. The default output is under ./snapshots, but a caller can choose another writable path.
const outPath = path.resolve(args.out);
fs.mkdirSync(path.dirname(outPath), { recursive: true });
...
await page.screenshot({ path: outPath, fullPage: args.fullPage });Use the default snapshots directory or an explicit project-local output path; do not direct output to protected or important existing files.