Browser Ladder
v1.0.0Climb the browser ladder — start free, escalate only when needed. L1 (fetch) → L2 (local Playwright) → L3 (BrowserCat) → L4 (Browserless.io for CAPTCHA/bot bypass).
⭐ 3· 2.5k·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The ladder concept and requested binaries largely match the stated functionality: Docker is required for the Playwright rung and optional cloud services require API keys. Node is declared as required but the included runtime scripts (setup.sh, browse.sh) do not actually invoke node; Node is only used in the README examples. This is plausible (examples assume Node usage) but slightly disproportionate for the shipped scripts alone.
Instruction Scope
SKILL.md and scripts stay within the stated purpose: choose a rung, attempt curl/Docker/cloud, and return content/screenshots/PDFs. The setup script prompts for keys and writes them to a .env in the workspace; the browserless integration posts content to browserless endpoints. Nothing in the instructions asks the agent to read unrelated credentials or system files, but the setup modifies the workspace .env which can persist sensitive values.
Install Mechanism
No install spec is provided (instruction-only), so nothing arbitrary is downloaded or installed by the registry. The runtime uses standard public Docker images (mcr.microsoft.com/playwright) and curl; that is expected for Playwright-in-Docker usage.
Credentials
Only two optional credentials are declared (BROWSERCAT_API_KEY and BROWSERLESS_TOKEN) and both are relevant to Rungs 3–4. This is proportionate. Two handling concerns: (1) setup.sh writes keys in plaintext to a .env file in the workspace, which may be committed to source control if the workspace isn't protected; (2) browse.sh sends the Browserless token as a URL/query parameter in some requests (and SKILL.md shows the token in a WebSocket query string), which can be logged by intermediaries and increase token exposure risk.
Persistence & Privilege
always:false and normal invocation rights — no elevated or persistent platform privileges requested. The only persistent side-effect is storing optional API keys in the workspace .env via the setup script; the skill does not attempt to modify other skills or global agent configuration.
Assessment
This skill appears to do what it says (try curl → local Playwright via Docker → cloud fallbacks). Before installing or running it, consider:
- The setup script will prompt for API keys and save them plaintext to .env in your workspace. Do not run it in a repository you might push to origin unless you first add .env to .gitignore or otherwise protect the file. Consider storing keys in a secret manager instead of a workspace .env.
- Browserless token is passed in request URLs/WS query strings (and shown in examples). Tokens in URLs can be logged by proxies or servers; prefer sending tokens in headers if possible. Treat any supplied token as sensitive and rotate it if it may have been exposed.
- BrowserCat code path is TODO/unimplemented in the provided script; Rung 3 will not work until implemented.
- Node is declared as required but the provided scripts don't need it; if you won't use the Node examples you may not need Node installed.
- The skill uses Docker and pulls a Playwright image—ensure your Docker daemon is secured and you trust the Playwright image source (mcr.microsoft.com).
If you trust the author and follow the above precautions (protect .env, avoid committing secrets, prefer header-based auth where possible), the skill is reasonable to use. If you do not trust the source, avoid entering API keys or run the scripts in an isolated environment.Like a lobster shell, security has layers — review code before you run it.
latestvk971x5srd799hb56bmym5n876h800dne
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🪜 Clawdis
Binsnode, docker