Skillv1.0.0

ClawScan security

Chrome Automation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 3, 2026, 7:21 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it claims (Chrome + Playwright stealth automation), but contains multiple coherence and safety issues — hardcoded user paths, sudo install steps inside instructions despite registry saying none, and a form-filling function that prints secrets to stdout — so review and remediation are recommended before use.
Guidance: What to consider before installing/using this skill: - Hardcoded paths: The skill and script use /home/Kano and ~/.playwright-env and save screenshots under that home. Edit the SKILL.md and scripts to use the agent's workspace or configurable paths before running; otherwise it will fail or use another user's home. - Privileged install steps: The install commands call sudo apt and download a .deb. Don't run those blindly on production hosts — run them in an isolated VM or container and review commands first. - Credential leakage: auto_fill_form prints each selector and value to stdout ("填写 {selector}: {value}"). If you feed real usernames/passwords or API tokens, they will appear in logs. Remove or sanitize these prints and avoid passing secrets directly as plaintext arguments. - Missing test file / metadata mismatch: The registry metadata said 'no install spec' but SKILL.md contains one, and SKILL.md mentions a test script not included. Confirm the intended install flow with the author or adjust packaging. - Browser flags and sandboxing: The instructions use --no-sandbox and Playwright launches with --no-sandbox. This is sometimes necessary on servers but weakens process isolation — prefer running inside a properly sandboxed container/VM. - Network downloads during install: Playwright and Chromium will download additional binaries at install/runtime. If your environment restricts outbound downloads, account for that and verify sources. Recommended immediate actions: run the skill only in an isolated environment, remove/replace hardcoded paths, remove printing of form values or otherwise secure secret handling, and confirm the install instructions with the skill author or maintainers before granting sudo or running on production systems.

Review Dimensions

Purpose & Capability: noteThe name/description align with the included code and commands: it uses Chrome and Playwright to take screenshots and automate forms. However, the SKILL.md and script assume a specific user/home (/home/Kano, ~/.playwright-env, ~/.openclaw/workspace) which is environment-specific and not justified in metadata. SKILL.md references a test script (scripts/test_playwright.py) that is not included in the package.
Instruction Scope: concernRuntime instructions include system-level install steps (wget + sudo apt install), creating a venv, and running playwright install (which downloads browser binaries). The Python script auto_fill_form prints each selector and value (i.e., it logs sensitive form values), creating a clear leakage risk. The instructions use --no-sandbox Chrome flags and write outputs to hardcoded home paths; they also modify navigator properties in-page (expected for 'stealth' behavior) — the latter is coherent, but the logging of form data and hardcoded paths are out-of-scope risk factors.
Install Mechanism: noteThe SKILL.md contains an install section (wget from dl.google.com and apt install of the .deb; pip install playwright; playwright install chromium). Download sources are official (Google and Playwright), which is expected. However, registry metadata indicated 'No install spec' while SKILL.md includes install commands — this metadata vs. author instructions mismatch is inconsistent. The use of apt and sudo elevates privilege requirements for installation.
Credentials: concernThe skill requests no environment variables or external credentials, which matches its purpose. But it hardcodes file system locations under /home/Kano and ~/.playwright-env, and the form auto-fill routine prints the actual values to stdout (risking credential leakage in logs). The number and type of environment accesses are otherwise minimal, but the hardcoded paths and plaintext logging of form values are disproportionate and risky.
Persistence & Privilege: noteThe skill is not marked always:true and allows model invocation (defaults) — normal. The install commands require sudo for apt installs which requires elevated privileges at install time; the skill does not request persistent system-wide configuration or modify other skills, but the installer will write to system locations when run.