Web Pilot
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: web-pilot Version: 1.0.0 The skill bundle is classified as suspicious due to several high-risk capabilities that, while part of its stated functionality, introduce significant vulnerabilities if misused. Specifically, `scripts/download_file.py` and `scripts/browser_session.py` allow writing files (downloads, screenshots, PDFs) to arbitrary paths on the host system, which could lead to arbitrary file write vulnerabilities. Additionally, `scripts/browser_session.py` includes an `eval` action that permits arbitrary JavaScript execution within the browser context, posing a risk for client-side data theft or browser exploitation. `scripts/download_file.py` also weakens security by falling back to `verify=False` for SSL errors. These are powerful primitives that could be exploited via prompt injection against the AI agent, but there is no clear evidence of intentional malicious behavior (e.g., covert exfiltration, persistence mechanisms) within the code itself.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or misconfigured download URL could cause a file to be saved outside the folder the user expected, anywhere the agent process has permission to create files.
A server-supplied or URL-derived filename is joined directly to the output directory and written without rejecting absolute paths, path separators, or '..' traversal.
return match.group(1).strip() ... filepath = os.path.join(output_dir, filename) ... with open(filepath, "wb") as f:
Sanitize filenames to a basename, reject absolute paths and '..', and verify the resolved path remains inside the selected output directory before writing.
A file could be downloaded over a tampered or spoofed HTTPS connection if certificate validation fails.
On TLS certificate errors, the downloader automatically retries with certificate verification disabled, with no explicit user opt-in.
except requests.exceptions.SSLError:
# Retry without SSL verification if certs are broken
resp = requests.get(..., verify=False)Fail closed by default, or require an explicit clearly named option such as --insecure and include a warning in the output.
While a browser session is open, another local process running with sufficient local access could potentially control the browser session or extract page content.
The persistent browser server listens on a predictable /tmp Unix socket and processes raw JSON commands; the provided command path shows no authentication, token, or peer validation.
SOCKET_PATH = "/tmp/web-pilot-browser.sock" ... sock.bind(SOCKET_PATH) ... conn, _ = sock.accept() ... cmd = json.loads(raw.decode())
Use a per-session random socket path inside a user-private 0700 directory, restrict socket permissions, authenticate commands, and clean up socket/PID files reliably.
Text from a page the user opens may remain on local disk outside stdout, which can matter if the page contains private information.
The initial extracted page content is written to a fixed temporary file, which is not clearly described in the user-facing instructions.
with open("/tmp/web-pilot-initial.json", "w") as f:
json.dump(result, f, ensure_ascii=False)Disclose this local cache, store it in a user-private location with restrictive permissions, and delete it when the session is closed.
If the agent turns untrusted webpage text into eval input, it could run unintended JavaScript in the active page context.
The browser session exposes a documented JavaScript evaluation command. This is purpose-aligned for browser automation but is a broad escape hatch if used with untrusted instructions.
python3 scripts/browser_session.py eval "document.title"
Require explicit user approval for eval, avoid constructing eval code from page content, and prefer narrower built-in actions where possible.
On sensitive or logged-in sites, the agent could submit information or accept cookie choices if instructed to do so.
The skill can submit forms and automatically click cookie-consent controls. These actions are disclosed and aligned with accessibility/browser automation, but they can change website state.
python3 scripts/browser_session.py fill "input[name=q]" "search term" --submit ... Cookie consent is auto-dismissed on open/navigate
Use explicit confirmation before submitting forms or changing consent choices, and use --no-dismiss when cookie decisions should remain manual.
The installed dependency versions may vary over time, which can affect security and reproducibility.
The skill depends on installing Python packages and a Chromium browser runtime. This is expected for the stated purpose, but versions are not pinned in the instructions.
Install: `pip install requests beautifulsoup4 playwright && playwright install chromium`
Install in an isolated environment and prefer pinned dependency versions or a reviewed lockfile.