web-screenshot
PassAudited by VirusTotal on May 9, 2026.
Overview
Type: OpenClaw Skill Name: web-screenshot Version: 1.1.3 The skill is a utility for capturing web screenshots and exporting PDFs using Playwright. The core logic in `scripts/screenshot.sh` generates a temporary Node.js script to automate a headless Chromium browser. While it uses a hardcoded path for Node modules (`/root/.npm/_npx/...`) and disables the browser sandbox (common in containerized environments), there is no evidence of data exfiltration, malicious execution, or prompt injection. The behavior is consistent with the stated purpose of the tool.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with an unintended URL or output path, the agent could visit that page from the user's environment and save or overwrite the chosen output file.
The helper renders a caller-supplied URL and writes to a caller-supplied output path using Chromium with sandbox-disabling flags. This is aligned with the screenshot purpose, but it is still meaningful local browser/file-write authority.
const url = process.argv[2];
const output = process.argv[3];
...
const browser = await chromium.launch({ headless: true, args: ['--no-sandbox', '--disable-setuid-sandbox'] });
...
await page.goto(url, { waitUntil: 'domcontentloaded', timeout: 20000 });
await page.screenshot({ path: output, fullPage: fullPage });Use the skill only for URLs you intend to capture, prefer the default /tmp output path unless you need another location, and avoid using it on sensitive or untrusted pages unless it is run in an isolated environment.
The skill's behavior depends on a local cached Playwright installation; if that dependency is missing, stale, or tampered with, the skill may fail or run code not represented in the reviewed artifacts.
The script relies on Playwright from a hard-coded local npx cache path that is outside the provided artifact manifest and not declared by an install specification.
NODE_PATH=/root/.npm/_npx/e41f203b7505f1fb/node_modules \ node "$PLAYWRIGHT_SCRIPT" "$URL" "$OUTPUT" "$FULLPAGE_FLAG" 2>/dev/null
Verify that Node.js and Playwright come from a trusted installation, and prefer a pinned, declared dependency/install process instead of relying on a root npx cache path.