Web Pilot
ReviewAudited by ClawScan on May 10, 2026.
Overview
Web Pilot mostly matches its web-browsing purpose, but some download and persistent-browser boundaries are unsafe enough that users should review it before installing.
Install only if you are comfortable running a local Playwright/Chromium automation tool. Avoid untrusted downloads until filename confinement and TLS behavior are fixed, close persistent browser sessions when finished, use caution on logged-in or sensitive sites, and disable automatic cookie dismissal when you want to make consent choices yourself.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or misconfigured download URL could cause a file to be saved outside the folder the user expected, anywhere the agent process has permission to create files.
A server-supplied or URL-derived filename is joined directly to the output directory and written without rejecting absolute paths, path separators, or '..' traversal.
return match.group(1).strip() ... filepath = os.path.join(output_dir, filename) ... with open(filepath, "wb") as f:
Sanitize filenames to a basename, reject absolute paths and '..', and verify the resolved path remains inside the selected output directory before writing.
A file could be downloaded over a tampered or spoofed HTTPS connection if certificate validation fails.
On TLS certificate errors, the downloader automatically retries with certificate verification disabled, with no explicit user opt-in.
except requests.exceptions.SSLError:
# Retry without SSL verification if certs are broken
resp = requests.get(..., verify=False)Fail closed by default, or require an explicit clearly named option such as --insecure and include a warning in the output.
While a browser session is open, another local process running with sufficient local access could potentially control the browser session or extract page content.
The persistent browser server listens on a predictable /tmp Unix socket and processes raw JSON commands; the provided command path shows no authentication, token, or peer validation.
SOCKET_PATH = "/tmp/web-pilot-browser.sock" ... sock.bind(SOCKET_PATH) ... conn, _ = sock.accept() ... cmd = json.loads(raw.decode())
Use a per-session random socket path inside a user-private 0700 directory, restrict socket permissions, authenticate commands, and clean up socket/PID files reliably.
Text from a page the user opens may remain on local disk outside stdout, which can matter if the page contains private information.
The initial extracted page content is written to a fixed temporary file, which is not clearly described in the user-facing instructions.
with open("/tmp/web-pilot-initial.json", "w") as f:
json.dump(result, f, ensure_ascii=False)Disclose this local cache, store it in a user-private location with restrictive permissions, and delete it when the session is closed.
If the agent turns untrusted webpage text into eval input, it could run unintended JavaScript in the active page context.
The browser session exposes a documented JavaScript evaluation command. This is purpose-aligned for browser automation but is a broad escape hatch if used with untrusted instructions.
python3 scripts/browser_session.py eval "document.title"
Require explicit user approval for eval, avoid constructing eval code from page content, and prefer narrower built-in actions where possible.
On sensitive or logged-in sites, the agent could submit information or accept cookie choices if instructed to do so.
The skill can submit forms and automatically click cookie-consent controls. These actions are disclosed and aligned with accessibility/browser automation, but they can change website state.
python3 scripts/browser_session.py fill "input[name=q]" "search term" --submit ... Cookie consent is auto-dismissed on open/navigate
Use explicit confirmation before submitting forms or changing consent choices, and use --no-dismiss when cookie decisions should remain manual.
The installed dependency versions may vary over time, which can affect security and reproducibility.
The skill depends on installing Python packages and a Chromium browser runtime. This is expected for the stated purpose, but versions are not pinned in the instructions.
Install: `pip install requests beautifulsoup4 playwright && playwright install chromium`
Install in an isolated environment and prefer pinned dependency versions or a reviewed lockfile.