web-screenshot
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a straightforward webpage screenshot/PDF helper, with minor review notes because it runs local headless browser automation and relies on a hard-coded Playwright cache path.
Before installing, confirm you are comfortable with the agent running local headless Chromium to visit supplied URLs and save image/PDF files. Use authorized/public pages where possible, choose output paths carefully, and verify the local Node.js/Playwright dependency rather than relying blindly on the hard-coded cache path.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with an unintended URL or output path, the agent could visit that page from the user's environment and save or overwrite the chosen output file.
The helper renders a caller-supplied URL and writes to a caller-supplied output path using Chromium with sandbox-disabling flags. This is aligned with the screenshot purpose, but it is still meaningful local browser/file-write authority.
const url = process.argv[2];
const output = process.argv[3];
...
const browser = await chromium.launch({ headless: true, args: ['--no-sandbox', '--disable-setuid-sandbox'] });
...
await page.goto(url, { waitUntil: 'domcontentloaded', timeout: 20000 });
await page.screenshot({ path: output, fullPage: fullPage });Use the skill only for URLs you intend to capture, prefer the default /tmp output path unless you need another location, and avoid using it on sensitive or untrusted pages unless it is run in an isolated environment.
The skill's behavior depends on a local cached Playwright installation; if that dependency is missing, stale, or tampered with, the skill may fail or run code not represented in the reviewed artifacts.
The script relies on Playwright from a hard-coded local npx cache path that is outside the provided artifact manifest and not declared by an install specification.
NODE_PATH=/root/.npm/_npx/e41f203b7505f1fb/node_modules \ node "$PLAYWRIGHT_SCRIPT" "$URL" "$OUTPUT" "$FULLPAGE_FLAG" 2>/dev/null
Verify that Node.js and Playwright come from a trusted installation, and prefer a pinned, declared dependency/install process instead of relying on a root npx cache path.