ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Webpage Screenshot

v1.0.0

打开指定网页并截图为图片文件。在用户要求对某 URL 截图、保存网页为图片、或需要网页快照时使用。

0· 2.1k·8 current·9 all-time
by@malenconiaprincep
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (webpage screenshots) matches the instructions (npm script or MCP browser). However the skill metadata claims no required binaries or env vars while the SKILL.md plainly requires npm/npx and Playwright (a browser). That undeclared dependency is an inconsistency.
!
Instruction Scope
SKILL.md tells the agent to run a project-provided npm script (npm run screenshot) and to run 'npx playwright install chromium'. Running an arbitrary project script can execute any code in the repository and access local files; the instructions do not constrain or validate the script, nor do they warn about sandboxing. The MCP browser option is lower-risk but only provides snapshots, not files.
Install Mechanism
There is no install spec in the skill bundle, but the instructions require running 'npm install' and 'npx playwright install chromium' which will download packages and browser binaries from external registries. That is a moderate risk because it pulls code/binaries at runtime without being declared in metadata or audited by the registry.
Credentials
The skill does not request any environment variables, credentials, or config paths. There are no explicit credential requests inconsistent with the stated purpose.
Persistence & Privilege
always is false and there is no installation step that persists or modifies other skills or system-wide settings. The skill does not request elevated persistence privileges.
What to consider before installing
This skill can do what it says (take webpage screenshots) but its instructions expect you to run a project npm script and to install Playwright via npx — actions that will download and execute code. Before installing or invoking: 1) confirm the repository/script you will run (inspect package.json and the screenshot script) because npm scripts can run arbitrary commands; 2) prefer the MCP/browser snapshot mode if you only need a quick preview and want to avoid installing packages; 3) run npm/npx steps in a sandboxed environment (container/VM) if you must install Playwright; 4) ask the publisher for an explicit install spec or a self-contained script (or a known CLI dependency) so you can review what will be executed. If you cannot inspect the script or do not trust the project source, do not run the npm-based method.

Like a lobster shell, security has layers — review code before you run it.

latestvk975nsmqkh2k8b2f4ge0y9gyax8116ba

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments