Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
browser-automation-skills
v1.0.0Browser automation skills for AI models — navigate, screenshot, interact, scrape, debug, test, and record browser sessions. Controls local Google Chrome via...
⭐ 0· 126·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the delivered artifacts: SKILL.md, README, API docs and scripts/browser.py implement navigation, screenshot, interact, scrape, debug, test and record via CDP/Playwright. The Playwright CLI adapter is a coherent implementation of the claimed capability.
Instruction Scope
Runtime instructions and the included script direct the agent to read full DOM, capture screenshots, list network requests, capture console logs, click/type (including login flows), and lock user input with a full-screen overlay. These behaviors go beyond passive observation: they permit active interaction with and inspection of arbitrary websites and can capture sensitive in-page data. The code also references environment variables and skill directory paths (e.g., BROWSER_CDP_ENDPOINT, CLAUDE_SKILL_DIR) that are not declared in the skill metadata.
Install Mechanism
No install spec in registry (instruction-only skill plus one Python script). The script requires the user to run 'pip install playwright' themselves; nothing is fetched automatically during installation. This lowers supply-chain risk but means runtime dependency installation and execution are manual and must be audited by the user.
Credentials
The manifest lists no required env vars, but the code uses BROWSER_CDP_ENDPOINT (defaulting to http://localhost:9222) and documentation references CLAUDE_SKILL_DIR. Allowing the CDP endpoint to be set by env var means the skill can be pointed at an arbitrary CDP host (including a remote host) without that being declared. Additionally, network/console inspection via CDP can expose sensitive tokens or page-injected secrets. The skill does not request credentials itself, but instructions (and the 'interact' skill) explicitly describe performing login flows, which could cause credentials to be entered or captured.
Persistence & Privilege
always:false (good) and autonomous invocation is allowed (normal), but combined with the skill's ability to lock user input, persist CLI session state, inspect network/console data, and perform multi-step interactions, autonomous execution increases potential for undesired or surprising actions. The 'lock' feature (injecting an overlay to block user input) is especially intrusive and increases the blast radius if the skill is invoked without careful controls.
What to consider before installing
This skill is functionally coherent for browser automation, but it contains high-impact actions you should be aware of before installing or enabling automatic use. Specific points to consider:
- Review the Python script yourself before running; it will connect to a Chrome DevTools (CDP) endpoint and drive your existing Chrome instance.
- The script reads DOM, lists network requests and console logs: these can disclose sensitive data (tokens, cookies, secrets embedded in pages). Avoid running on pages with private data unless you trust the skill and runtime.
- The skill supports login flows and typing into pages — do not let it handle credentials unless you explicitly provide them in a controlled, ephemeral way you trust.
- The script honors a BROWSER_CDP_ENDPOINT env var (not declared in the manifest). Make sure this is set to a local-only endpoint (e.g., http://localhost:9222) and not exposed to the network; exposing CDP to a network address can let other systems control your browser.
- The 'lock' command injects a full-screen overlay that blocks user input; this is intrusive and could be abused. Favor manual invocation (do not enable broad autonomous invocation) and test in a safe environment first.
- If you decide to use it: run the script in an isolated account/VM, limit automatic/auto-invocation privileges, and only grant terminal access to trusted models. If unsure, do not install or run the Playwright adapter until you can audit the code and runtime in a sandbox.Like a lobster shell, security has layers — review code before you run it.
latestvk97fys0qrxq6s07hbpb7tc4x15834f5h
License
MIT-0
Free to use, modify, and redistribute. No attribution required.