Dynamic Web Fetch
v1.0.0动态网页抓取工具 - 使用 Playwright 支持 JavaScript 渲染的网页内容抓取
⭐ 0· 8·0 current·0 all-time
by@linzmin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description, SKILL.md, README, and scripts/fetch.py consistently implement a Playwright-based dynamic web fetcher. The dependencies and runtime behavior (install Playwright, launch headless chromium, fetch pages, optional screenshot) are expected for this purpose.
Instruction Scope
Runtime instructions and the Python script accept arbitrary URLs, optionally save screenshots to arbitrary paths, and render/extract page content. This is expected for a scraper, but it also means the skill can be used to access internal network resources or metadata endpoints (SSRF-like risk) and write files locally. The SKILL.md does not constrain allowed domains or sanitize inputs.
Install Mechanism
The manifest has no automated install spec, but SKILL.md instructs users to run `pip install playwright` and `playwright install chromium`. This is a standard install flow; it will download browser binaries from Playwright's installation endpoints and write them to disk. No unusual or obfuscated download URLs are present in the package itself.
Credentials
The skill requests no environment variables, no credentials, and no config paths. The code does not try to read secrets or other environment data beyond parameters supplied at runtime, which is proportionate to a web scraper.
Persistence & Privilege
The skill is not marked always:true and does not alter other skills or system-wide agent settings. It can be invoked autonomously (platform default), which is normal; combined with the ability to fetch arbitrary URLs this increases potential impact, but that is an intrinsic capability of any web-fetch skill rather than an unexpected privilege escalation.
Assessment
This skill appears to do what it says: run a headless Playwright browser to fetch rendered page content. Before installing or invoking it: 1) Review the scripts/fetch.py file (already included) and only run it in an isolated environment (container/VM) to limit damage if misused. 2) Be cautious about passing URLs you don’t fully trust — the skill can access internal network endpoints or metadata services. 3) The install step downloads Chromium via Playwright; ensure you install from the official pip/Playwright channels. 4) When using the screenshot option, pick safe file paths to avoid overwriting important files. 5) If you need stricter controls, restrict allowed target domains or add input validation/sandboxing before granting the skill network access.Like a lobster shell, security has layers — review code before you run it.
dynamicvk97923srtjy99hpmyw5ktwx9cd84hn4afetchvk97923srtjy99hpmyw5ktwx9cd84hn4alatestvk97923srtjy99hpmyw5ktwx9cd84hn4aplaywrightvk97923srtjy99hpmyw5ktwx9cd84hn4areal-timevk97923srtjy99hpmyw5ktwx9cd84hn4ascrapervk97923srtjy99hpmyw5ktwx9cd84hn4awebvk97923srtjy99hpmyw5ktwx9cd84hn4a
License
MIT-0
Free to use, modify, and redistribute. No attribution required.